Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
The previous commit didn't include these vital fixes.
Andrew Bartlett
|
|
We previously segfaulted if this was not the case.
Andrew Bartlett
|
|
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add. So, we can't short-circuit the operation just because we found
the domain group.
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.
However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.
In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'. This allows us to
use the auth_context in processing the authentication reply .
Andrew Bartlett
|
|
"authsam_expand_nested_groups"
Better use the "res_sids_ctx" as base context for the "tmp_ctx" and not the
long-living "sam_ctx"/"ldb" context to prevent memory leaks.
|
|
This is needed by the "tokenGroups" work in the operational LDB module.
|
|
|
|
Should also be unsigned - no need for a signed "i" and "num_sids" here.
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above.
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
|
|
Use dsdb_search_one() instead, which allows for arbitrary controls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
session keys
metze
|
|
|
|
|
|
We have not only to expand the additional groups but *also* the primary group to
gain all rights of a user account.
Also, remove an unneeded context (tmp_ctx) and "talloc_steal".
|
|
"groupSID"s structure
|
|
|
|
authsam_expand_nested_groups()
metze
|
|
This patch adds a function "authsam_expand_nested_groups" (calculation of rights
through expanding groups of a certain SID) which basically collects all
memberships through "memberOf" attributes. It works with either user or group SIDs.
For avoiding loops it tests on each call if the SID hasn't been added yet (through
the helper function "sids_contains_sid").
The function itself is called by "authsam_make_server_info".
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case. Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.
Andrew Bartlett
|
|
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
|
|
fixed up from previous patch that removed the use of crossref records
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)
Andrew Bartlett
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
metze
|
|
should in the future only contain some settings required for gensec.
|
|
remove some unused functions.
|
|
|
|
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
|
|
Andrew Bartlett
(This used to be commit bc607c334ff86624b891886a6f874da2bcff113e)
|
|
(This used to be commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4)
|
|
This takes the previous patches further, so we catch all the cases
(the KDC looked at the time directly).
Andrew Bartlett
(This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf)
|
|
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
|
|
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
|
|
(This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
|
|
further up the call stack.
(This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
|
|
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
|
|
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
RPC-SAMLOGON test.
This showed that, as noted by bug #4823, we didn't test for invalid
workstations. In fact, the code had been ported across, but because
untested code is broken code, it never worked...
Andrew Bartlett
(This used to be commit 5e07417ada56d189a911ef888b0c87adebe60763)
|
|
the logon hours, even if set.
This code happily stolen from the great work in Samba3 :-)
Andrew Bartlett
(This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
|