summaryrefslogtreecommitdiff
path: root/source4/auth/ntlm/auth_sam.c
AgeCommit message (Collapse)AuthorFilesLines
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-1/+1
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-1/+1
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-28/+19
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-118/+26
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-25fixed interpretation of ACB_PWNOTREQAndrew Tridgell1-14/+0
This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
2009-04-14Port Samba4 to the new combined libcli/auth functionsAndrew Bartlett1-1/+1
For example, some of the new shared functionality was previously in the wkssvc torture test. Andrew Bartlett
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett1-9/+56
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-1/+2
metze
2008-11-01Remove use of lp_*() from ntlm_check.c.Jelmer Vernooij1-2/+3
2008-10-16Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett1-1/+1
This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-08-08Always set a session key, even for the 'no password' case.Andrew Bartlett1-0/+2
This is for bug 5664 reported by Tom <hto@arcor.de>. Andrew Bartlett (This used to be commit a106a4ccc435d149072fb884caf95e5517cd4204)
2008-05-05Move NTLM authentication details into auth/ntlmAndrew Bartlett1-0/+449
This should help clarify the role of the various files around here (done on Jelmer's request). Andrew Bartlett (This used to be commit efa399037511ced8978f2e7661a71aac7a384883)