summaryrefslogtreecommitdiff
path: root/source4/auth/ntlm
AgeCommit message (Collapse)AuthorFilesLines
2009-12-16s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.Andreas Schneider2-3/+5
2009-10-23s4-dsdb: create a static system_session contextAndrew Tridgell1-2/+2
This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-20s4: ran minimal_includes.pl on source4/auth/ntlmAndrew Tridgell6-14/+0
2009-10-16s4:auth_sam: Restructure tail in "authsam_get_server_info_principal" and fix ↵Matthias Dieter Wallnöfer1-3/+8
a memory leak
2009-08-05added a uid_wrapper libraryAndrew Tridgell1-1/+1
This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-1/+1
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-06-25s4 auth_winbind: Internally, info3 has utf8 buffers, not utf16 buffers.Kai Blin1-63/+16
Thanks to gd for the catch.
2009-06-25s4 auth_winbind: Don't allocate the rids for the info3 structure within the loopKai Blin1-4/+4
2009-06-25s4: Add libwbclient backend to auth_winbindKai Blin2-1/+216
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-1/+1
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-28/+19
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-118/+26
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-25fixed interpretation of ACB_PWNOTREQAndrew Tridgell1-14/+0
This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
2009-04-14Port Samba4 to the new combined libcli/auth functionsAndrew Bartlett2-6/+1
For example, some of the new shared functionality was previously in the wkssvc torture test. Andrew Bartlett
2009-04-14Move ntlm_check.h into the common libcli/authAndrew Bartlett1-76/+0
2009-04-14Move libcli/auth to the top levelAndrew Bartlett1-603/+0
2009-03-01s4: Use same function signature for convert_* as s3.Jelmer Vernooij1-1/+1
2009-03-01Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij1-1/+1
consistency with Samba 3.
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett3-10/+87
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-0/+7
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-05s4:auth/ntlm: fix c++ warningStefan Metzmacher1-1/+1
metze
2009-01-21s4:auth: move make_server_info_netlogon_validation() function arroundStefan Metzmacher1-1/+1
metze
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher2-5/+5
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-22s4: Always link in auth, as some of the core infrastructure depends on it.Jelmer Vernooij1-0/+1
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-1/+2
metze
2008-11-02Remove another use of global_loadparm.Jelmer Vernooij1-0/+1
Eventually, we should move some of these parameters into a separate struct (perhaps into smb_transport_options?), to avoid the long lists of parameters.
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-0/+1
should in the future only contain some settings required for gensec.
2008-11-02Remove another use of global_loadparm.Jelmer Vernooij1-0/+1
2008-11-01Remove use of lp_*() from ntlm_check.c.Jelmer Vernooij3-16/+18
2008-10-24Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij1-1/+1
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24Eliminate another instance of global_loadparm.Jelmer Vernooij1-0/+2
2008-10-24Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij1-1/+1
functions.
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij3-13/+2
remove some unused functions.
2008-10-16Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett1-1/+1
This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-15Remove unused variable.Jelmer Vernooij1-1/+0
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij2-2/+2
2008-09-30Pass session options around; saves another use of global_loadparm.Jelmer Vernooij1-0/+1
2008-09-24Move source4/lib/crypto to lib/crypto.Jelmer Vernooij1-1/+1
2008-08-08Always set a session key, even for the 'no password' case.Andrew Bartlett1-0/+2
This is for bug 5664 reported by Tom <hto@arcor.de>. Andrew Bartlett (This used to be commit a106a4ccc435d149072fb884caf95e5517cd4204)
2008-08-01auth_server: set the workstation nameStefan Metzmacher1-0/+4
metze (This used to be commit 6d640ee4b84c72f6c2da0ee047c9bac916bf3e57)
2008-08-01auth_server: fix the logic of server_get_challenge()Stefan Metzmacher1-4/+4
metze (This used to be commit 699e3cdb52acdf2524347d8c053730306c579dd9)
2008-08-01auth_server: fix segfault reported by Julien Kerihuel ↵Stefan Metzmacher1-1/+1
<j.kerihuel@openchange.org> metze (This used to be commit c2cc8ef943e8c2e02edb1eb20214de245cc6914c)
2008-06-30auth: don't force the build of auth_server as shared_moduleStefan Metzmacher1-1/+0
metze (This used to be commit b5187dd58ccae03e22ba8857c344a2d7d94f13b3)
2008-05-20Don't regenerate pam_errors.h any more.Andrew Bartlett1-2/+0
Due to the new rules on prototypes, it must be a static header file. Andrew Bartlett (This used to be commit cf60a9b34ec2419b2bc03a37190cb17ad4cf3d5f)
2008-05-20Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-localAndrew Bartlett2-23/+32
Fix config.mk due to changing syntax. Conflicts: source/libcli/config.mk source/nbt_server/config.mk (This used to be commit 6a1c76f29f78183f44dfac6f468c5e728d2cb2cf)
2008-05-18Fix a bunch of dependencies.Jelmer Vernooij1-1/+1
(This used to be commit a63f458462d207d215a6e4ef8e480b0c8daedf6a)
2008-05-18Fix a couple (well, little more than that..) of typos.Jelmer Vernooij1-2/+2
(This used to be commit a6b52119940a900fb0de3864b8bca94e2965cc24)
2008-05-18Create prototype headers from Makefile directory, without smb_build in the ↵Jelmer Vernooij1-2/+3
middle. (This used to be commit f4a77b96f9c17d853348b70794026e5b9e384942)
2008-05-18Use variables for source directory in a couple more places.Jelmer Vernooij1-9/+9
(This used to be commit 2860a7db5968c7007522cdb300eba390da929ab8)
2008-05-10Clean up some git merges gone wrong.Jelmer Vernooij1-1/+1
(This used to be commit 42eb6b33462228467e65a51bbf624c481802b090)