summaryrefslogtreecommitdiff
path: root/source4/auth/ntlm
AgeCommit message (Collapse)AuthorFilesLines
2010-09-15s4-auth: allow multiple active auth backendsAndrew Tridgell1-35/+43
when we are an RODC we need to be able to allow multiple auth backends to process a single auth request. First the sam backend will try to authenticate, using locally stored passwords. If this backend can't find local passwords then it will try the winbind backend and authenticate via a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-rodc: add a trigger message for REPL_SECRET to auth_samAndrew Tridgell1-0/+52
when an RODC tries to authenticate against an account and the account has no password information it needs to send a message to the drepl server to tell it to try and replicate the secret information from a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-03s4:auth_winbind: use irpc_binding_handle_by_name()Stefan Metzmacher2-8/+8
metze
2010-09-03s4:auth_winbind: remove unused winbind_samba3 backendStefan Metzmacher2-122/+1
This uses the winbind protocol directly, which needs to be avoided! metze
2010-09-03s4:auth_winbind: fix segfault in winbind_check_password_wbclient()Stefan Metzmacher1-1/+5
We should only look at err if WBC_ERR_AUTH_ERROR is returned. metze
2010-09-03s4:auth_winbind: fix compiler warningsStefan Metzmacher1-4/+11
metze
2010-08-26s4:ntlm/auth.c - add a whitespace in a debug outputMatthias Dieter Wallnöfer1-1/+1
2010-08-14s4:auth Move struct auth_usersupplied_info to a common locationAndrew Bartlett2-4/+4
This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell6-34/+34
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett1-1/+7
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Push check for messaging context into winbind backendAndrew Bartlett2-5/+5
If we don't use the winbind backend, we don't (for now) need a messaging context- and we don't have one in LDB at the moment. Andrew Bartlett
2010-05-20s4:auth Add dependency from the operational module onto authAndrew Bartlett3-7/+33
We had to split up the auth module into a module loaded by main deamon and a subsystem we manually init in the operational module. Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett2-36/+120
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-18s3: Remove use of iconv_convenience.Jelmer Vernooij1-1/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-7/+4
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett3-14/+18
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-12lib/replace/wscript: inline LIBREPLACE_EXT into 'replace' as the autoconf ↵Stefan Metzmacher1-1/+1
system does metze
2010-04-06s4:auth/ntlm/auth_developer.c - "fixed_challenge_get_challenge" - fix the ↵Matthias Dieter Wallnöfer1-5/+2
assignment of the challenge This is a string buffer and not a DATA_BLOB.
2010-04-06s4-waf: more dependencies on tallocAndrew Tridgell1-1/+2
these are needed so we can support a system talloc without using the bundled talloc.h
2010-04-06s4-waf: mark the wscript files as python so vim/emacs knows how to highlight ↵Andrew Tridgell1-0/+2
them
2010-04-06s4-waf: remove the need for some of the lib aliasesAndrew Tridgell1-1/+1
2010-04-06build: waf quicktest nearly worksAndrew Tridgell1-5/+1
Rewrote wafsamba using a new dependency handling system, and started adding the waf test code
2010-04-06build: commit all the waf build files in the treeAndrew Tridgell1-0/+64
2010-02-16s4-dsdb: added dsdb_search_one() and cleanup dsdb_find_dn_by_guid()Andrew Tridgell1-4/+6
dsdb_find_dn_by_guid() now takes a struct GUID instead of a guid_string. All the callers in fact wanted a struct GUID, so we now avoid the extra conversion. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2009-12-29s4:auth: make auth_challenge_may_be_modified() publicStefan Metzmacher1-1/+1
metze
2009-12-29s4:auth: remove autogenerated auth/ntlm/auth_proto.hStefan Metzmacher1-50/+0
metze
2009-12-24s4:auth: change auth_check_password_send/recv to tevent_reqStefan Metzmacher2-108/+136
metze
2009-12-22s4:auth Change 'get_challenge' API to be more like Samba3Andrew Bartlett5-29/+23
It is just easier to fill in the known to be 8 byte challenge than stuff about with allocated pointers. Andrew Bartlett
2009-12-22s4:auth generate the prototype file in the right placeAndrew Bartlett1-1/+1
2009-12-16s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.Andreas Schneider2-3/+5
2009-10-23s4-dsdb: create a static system_session contextAndrew Tridgell1-2/+2
This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-20s4: ran minimal_includes.pl on source4/auth/ntlmAndrew Tridgell6-14/+0
2009-10-16s4:auth_sam: Restructure tail in "authsam_get_server_info_principal" and fix ↵Matthias Dieter Wallnöfer1-3/+8
a memory leak
2009-08-05added a uid_wrapper libraryAndrew Tridgell1-1/+1
This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-1/+1
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-06-25s4 auth_winbind: Internally, info3 has utf8 buffers, not utf16 buffers.Kai Blin1-63/+16
Thanks to gd for the catch.
2009-06-25s4 auth_winbind: Don't allocate the rids for the info3 structure within the loopKai Blin1-4/+4
2009-06-25s4: Add libwbclient backend to auth_winbindKai Blin2-1/+216
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-1/+1
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-28/+19
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-118/+26
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-25fixed interpretation of ACB_PWNOTREQAndrew Tridgell1-14/+0
This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
2009-04-14Port Samba4 to the new combined libcli/auth functionsAndrew Bartlett2-6/+1
For example, some of the new shared functionality was previously in the wkssvc torture test. Andrew Bartlett
2009-04-14Move ntlm_check.h into the common libcli/authAndrew Bartlett1-76/+0
2009-04-14Move libcli/auth to the top levelAndrew Bartlett1-603/+0
2009-03-01s4: Use same function signature for convert_* as s3.Jelmer Vernooij1-1/+1
2009-03-01Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij1-1/+1
consistency with Samba 3.
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett3-10/+87
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-0/+7
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-05s4:auth/ntlm: fix c++ warningStefan Metzmacher1-1/+1
metze