summaryrefslogtreecommitdiff
path: root/source4/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r23132: Resolve an issue where we would use the ccache after we free()ed it.Andrew Bartlett1-4/+30
The problem was, we would set the ccache, then invalidate it as we set details from it (like the principal name from the ccache). Instead, set the ccache onto the credentials structure after we are done processing it. Andrew Bartlett (This used to be commit d285bd927c604d930fc44cc84ef3321aa4ce9d9a)
2007-10-10r22385: remove unused includeStefan Metzmacher1-1/+0
metze (This used to be commit c8a210bc6fa2529944bb1303ba06fe0734bdd23e)
2007-10-10r19676: Fix some more dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 8768bec81f57131a0c9754e8121b345c0be4a5d0)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+2
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r17871: Add an option to make the system account behave as anonymous on theAndrew Bartlett1-1/+6
network. This helps where we are trying to talk to an LDAP server, until we share a common SASL authentication scheme. Andrew Bartlett (This used to be commit f9d39dba41441cd5d06964ce0aebef9bcba40759)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij1-0/+1
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r14860: create libcli/security/security.hStefan Metzmacher1-1/+1
metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
2007-10-10r14589: This morning, I think I can spell...Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit fd496d5baf392c8f57fb4192be54aa12639d08d0)
2007-10-10r14494: Add comments to clarify that we deliberatly fall though hereAndrew Bartlett1-1/+4
Andrew Bartlett (This used to be commit ead4087ac878d2317e5331fc9e12503994195a73)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-1/+1
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13851: More doc improvements.Jelmer Vernooij1-1/+1
(This used to be commit 936d26ae64b93ef8f8b2fbc632b1c2fd60840405)
2007-10-10r12816: Ugly hacks to the auth_unix code to make a SYSTEM token for root. IfAndrew Bartlett1-1/+1
we are going to try and have a 'real' NT token for these users, it is going to get messy fast. I want to go down the idmap road, but we don't have the infrustucure for that yet. Andrew Bartlett (This used to be commit c90d5e82ff4836765f328b2acf20fd09ec91189b)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-3/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-2/+0
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r12058: Set an anonymous fallback, if the machine account isn't available.Andrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 55cb72f5cfe9a2c520c30e11ab34896588e91730)
2007-10-10r11989: Rather than grabbing the machine account details at this point, grabAndrew Bartlett1-10/+1
them 'later'. We will need to handle the errors when we call the get_* methods. Andrew Bartlett (This used to be commit c6e572f87022b57cdfd8178eb5c23df67a92c453)
2007-10-10r11969: got rid of the very annoying 'failed to open /secrets.tdb'Andrew Tridgell1-1/+5
messages. As discussed with Andrew, this will soon be replaced with a system that marks the credentials to use the machine accout from the database rather than pre-loading the machine account details here. The reason we got the annoying messages is this was being called before smb.conf is loaded, so the code doesn't yet know the location of the private directory (This used to be commit 6aeb4bf3fe224a6f81962237bdda329ba828b493)
2007-10-10r11522: Add support for delegated credentials and machine account credentialsAndrew Bartlett1-0/+20
to ldb, based on the sessionInfo we now pass around. Andrew Bartlett (This used to be commit 84e16e4ea7240409f15efd9f64344f9e0cec8111)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-0/+2
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11273: Initialise the new server_info->logon_server element.Andrew Bartlett1-0/+6
Andrew Bartlett (This used to be commit bc6f6f9381b1038273f87feb35484dc61dd8bd8e)
2007-10-10r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensureAndrew Bartlett1-0/+1
we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
2007-10-10r10812: Fix capitalisation (thanks tridge).Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f78982a0f1079b07be6d7bfd9cc0f92c2cebcf1c)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-0/+115
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10796: Make getting an anonymous session info a utility function.Andrew Bartlett1-0/+26
Andrew Bartlett (This used to be commit 6021fa373405f8788dc216aae82a3f4a80df4ba7)
2007-10-10r9240: - move struct security_token to the idl file, with this we canStefan Metzmacher1-1/+1
the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2007-10-10r8700: Propmted by tridge's need to do plaintext auth in ejs, rework theAndrew Bartlett1-221/+152
user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2007-10-10r8259: We want to oset the provided flags not zeroSimo Sorce1-1/+1
(This used to be commit 50d8ccacca707738f131e47c739dcfacde1311e6)
2007-10-10r8251: fixed a couple of valgrind errors in the unix auth code. Simo, can youAndrew Tridgell1-0/+1
please check that this is what you intended? (This used to be commit a57738769dfb5a47ac49e965750193ecdc903d5a)
2007-10-10r8163: if sidcount is zero it happened that we return NT_STATUS_NO_MEMORY...Stefan Metzmacher1-4/+6
metze (This used to be commit a9ff35a1a24f2d2935e67855fee5011ea528029f)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-0/+68
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r7233: what about filling that new element ?Simo Sorce1-0/+3
(This used to be commit 6a5e48c35cba801b16172cf6ff06b1d4116fb018)
2007-10-10r7224: add some more usefull data to the auth_usersupplied_info structSimo Sorce1-5/+7
(This used to be commit e40c44e9cdc0be7c52207f8479568804e7d9cff2)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-5/+5
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. TheseAndrew Bartlett1-4/+23
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
2007-10-10r5137: fix typesStefan Metzmacher1-1/+1
metze (This used to be commit add1c579375d08040f722946da31ee3862f9e7ac)
2007-10-10r4620: - add interface functions to the auth subsystem so that callers ↵Stefan Metzmacher1-360/+235
doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2007-10-10r4419: move security_token stuff to the libcli/security/Stefan Metzmacher1-116/+16
and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2007-10-10r4339: - rename auth_guest to auth_anonymousStefan Metzmacher1-51/+0
- don't use static const strings in the server_info - fix segfault when auth_sam gets "" as username metze (This used to be commit 7fcbd483d4977cf6483f34ddd28e6c0182897ba2)
2007-10-10r4151: added privilege attribute handling on samdb.Andrew Tridgell1-0/+8
pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell1-72/+56
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r4072: - changed the names of some of the well known sids to be more consistentAndrew Tridgell1-3/+3
- added string constants for the important privileges. (This used to be commit d5bc706140faf2d0a917f90f87884cd097e8a48c)
2007-10-10r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 ↵Andrew Tridgell1-16/+18
in my compile (This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
2007-10-10r3810: create a LIB_SECURITY subsystemStefan Metzmacher1-1/+2
- move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
2007-10-10r3554: Use the new talloc_reference changes to simply the conversion ofAndrew Bartlett1-61/+80
returned validation information into the server_info struct. Also allow for easier expansion to different variations on validation levels. Andrew Bartlett (This used to be commit 316b74029cf3e10cf14cffe8ce326a97ef3aec35)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3428: switched to using minimal includes for the auto-generated RPC code.Andrew Tridgell1-0/+2
The thing that finally convinced me that minimal includes was worth pursuing for rpc was a compiler (tcc) that failed to build Samba due to reaching internal limits of the size of include files. Also the fact that includes.h.gch was 16MB, which really seems excessive. This patch brings it back to 12M, which is still too large, but better. Note that this patch speeds up compile times for both the pch and non-pch case. This change also includes the addition iof a "depends()" option in our IDL files, allowing you to specify that one IDL file depends on another. This capability was needed for the auto-includes generation. (This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49)
2007-10-10r3361: Allow Samba4 (I'm interested in ntlm_auth in particular) to useAndrew Bartlett1-2/+123
Samba3's winbind. This is also the start of domain membership code in Samba4, as we now (partially) parse the info3, and use it like Samba3 does. Andrew Bartlett (This used to be commit c1b7303c1c7d9fb815006c3bd2af20a0010d15a8)
2007-10-10r3186: Use the properties of the new talloc() system to handle the authAndrew Bartlett1-9/+5
session info and server info structures. Andrew Bartlett (This used to be commit 5bdf391b3bc10291739f5640be9a404dbbeda273)