summaryrefslogtreecommitdiff
path: root/source4/auth/auth_sam.c
AgeCommit message (Collapse)AuthorFilesLines
2008-02-28Generate ACB_PW_EXPIRED correctlyAndrew Bartlett1-1/+3
More correctly handle expired passwords, and do not expire machine accounts. Test that the behaviour is consistant with windows, using the RPC-SAMR test. Change NETLOGON to directly query the userAccountControl, just because we don't want to do the extra expiry processing here. Andrew Bartlett (This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
2008-02-20Make all auth module init functions public, since they are compiled with ↵Jelmer Vernooij1-1/+1
-fvisibility=hidden. Not doing this causes failures on Mac OS X. (This used to be commit 675bab738085cb5a9f17c1f159fbd97c4daafed2)
2007-12-21r26319: Split encoding functions out of libcli_ldap.Jelmer Vernooij1-1/+1
(This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-2/+3
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26228: Store loadparm context in auth context, move more loadparm_contexts ↵Jelmer Vernooij1-9/+12
up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij1-2/+2
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-21r26016: remove unneeded includeStefan Metzmacher1-1/+0
metze (This used to be commit 330b8dce85ebc6c7acf101638a66547962b22794)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+2
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-10-10r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij1-3/+5
2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-6/+6
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r22627: fix crash msgs_tmp isn't always initializedStefan Metzmacher1-1/+1
and we don't need an extra allocated string anyway metze (This used to be commit 44c27b2fe6f130332d9f7c6bdd901eb025aa3eff)
2007-10-10r22621: fix the 'sam' auth moduleStefan Metzmacher1-33/+18
metze (This used to be commit 255acbb1132891e0316a38f1d4721863bb7a7226)
2007-10-10r20352: Use the common function to find the DN for a domain.Andrew Bartlett1-6/+3
Andrew Bartlett (This used to be commit 929fd1beee5cab647702a9b8d8d5e4c2aab23d11)
2007-10-10r20149: Remove the smb.conf distinction between PDC and BDC. Now the correctAndrew Bartlett1-4/+2
way to setup a Samba4 DC is to set 'server role = domain controller'. We use the fSMORoleOwner attribute in the base DN to determine the PDC. This patch is quite large, as I have corrected a number of places that assumed taht we are always the PDC, or that used the smb.conf lp_server_role() to determine that. Also included is a warning fix in the SAMR code, where the IDL has seperated a couple of types for group display enumeration. We also now use the ldb database to determine if we should run the global catalog service. In the near future, I will complete the DRSUAPI DsGetDomainControllerInfo server-side on the same basis. Andrew Bartlett (This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
2007-10-10r20010: cosmetic fixStefan Metzmacher1-1/+1
metze (This used to be commit 9c992a39db32cbe35f0ecb8fe98223bb24a1e973)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-4/+4
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-3/+3
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+2
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r17824: add a wrapper for the common partitions_basedn calculationAndrew Tridgell1-1/+1
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
2007-10-10r17823: get rid of most of the samdb_base_dn() calls, as they are no longerAndrew Tridgell1-3/+1
needed in searches (This used to be commit a5ea749f0ac63bf495a55ee8d9d002208ab93572)
2007-10-10r17270: split the logic of saying this auth backend wants to handle thisStefan Metzmacher1-14/+54
request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)
2007-10-10r16238: Use a baseDN for the auth_sam searches, to allow continued functionAndrew Bartlett1-5/+8
with partitions. Also fix some debug messages. Andrew Bartlett (This used to be commit a2441ae99a6c3b4bf40f5369477a9bc0f3019c34)
2007-10-10r15328: Move some functions around, remove dependencies.Jelmer Vernooij1-1/+0
Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
2007-10-10r15298: Fix the build using a few hacks in the build system.Jelmer Vernooij1-441/+83
Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij1-1/+1
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r14975: use the magic comment recognised by the IBM checker for deliberateAndrew Tridgell1-1/+1
fall through in switch (This used to be commit babf747cfdd7b5b03e89ade151e6fece4cf23dce)
2007-10-10r14860: create libcli/security/security.hStefan Metzmacher1-1/+1
metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
2007-10-10r14571: More improvements on shared library support in Samba. Only ldb is ↵Jelmer Vernooij1-1/+1
left now... (This used to be commit e71cca7f0cec62357eba6ba02d13f1c3f04edaa7)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-0/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-1/+1
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13910: Fix the 'your password has expired' on every login. We now considerAndrew Bartlett1-13/+16
if the 'password does not expire' flag has been set, filling in the PAC and netlogon reply correctly if so. Andrew Bartlett (This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
2007-10-10r13252: Cleanup, both in code, comments and talloc use:Andrew Bartlett1-10/+27
In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2007-10-10r13247: Try to make better use of talloc in the auth/ and auth/gensec code.Andrew Bartlett1-5/+5
We don't want temporary memory hanging around on the long-term contexts. Andrew Bartlett (This used to be commit 85b3f6ebddfb655fdd08d1799752e562a6ff9cb1)
2007-10-10r12718: We don't use unicodePwd directly any more.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit c10491fb9be1eb8a13f03ed16fd3ed799315287e)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-2/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-0/+1
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+2
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12363: minor fixes for win2000 join/loginAndrew Tridgell1-1/+2
- the objectClass needs to be added to the list of attributes to make the check for objectClass=computer work - the short version of the name needs to be used for the 'cn' in cracknames (This used to be commit 53f0fb77c3c1bd15620f1dbb12e0d8f9fededf4b)
2007-10-10r12361: Add a new function: ldb_binary_encode_string()Andrew Bartlett1-2/+3
This is for use on user-supplied arguments to printf style format strings which will become ldb filters. I have used it on LSA, SAMR and the auth/ code so far. Also add comments to cracknames code. Andrew Bartlett (This used to be commit 8308cf6e0472790c1c9d521d19322557907f4418)
2007-10-10r11929: Add static, comments.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 41f09ef9342d0c9f09475a189d2bbdb50e611528)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-35/+35
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11537: Make the authsam_account_ok routine callable by external users (the ↵Andrew Bartlett1-19/+21
KDC). Andrew Bartlett (This used to be commit 1643ad169cff56f20ba03644dec12124139ac44a)
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-69/+105
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11520: indentAndrew Bartlett1-1/+1
(This used to be commit ce611eb5f31bc63fc23700e7a2c47e68b8f826aa)
2007-10-10r11370: Samba4 now passes it's own RPC-SAMLOGON test again.Andrew Bartlett1-0/+7
This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
2007-10-10r11366: Pass around the flags which indicate if we should support plaintextAndrew Bartlett1-11/+18
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2007-10-10r11312: Make it clear we are looking at the 'domain ref', not the domainAndrew Bartlett1-18/+18
itself in the auth_sam module. Andrew Bartlett (This used to be commit 0800942dbb1511586a896c6376c436a4552c54be)