summaryrefslogtreecommitdiff
path: root/source4/auth/sam.c
AgeCommit message (Collapse)AuthorFilesLines
2010-05-21s4:auth Remove un-needed headers.Andrew Bartlett1-4/+0
2010-05-21s4:auth Fix previous commit - segfault in determinging a user's groupsAndrew Bartlett1-5/+3
The previous commit didn't include these vital fixes. Andrew Bartlett
2010-05-21s4:auth Error out when a memberOf DN does not have a SIDAndrew Bartlett1-13/+8
We previously segfaulted if this was not the case. Andrew Bartlett
2010-05-20s4:auth handle addition of nested aliases of domain groups.Andrew Bartlett1-8/+8
The challenge here is that we are asked not to add the domain groups again, but we need to search inside them for any aliases that we need to add. So, we can't short-circuit the operation just because we found the domain group. Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett1-72/+110
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett1-0/+1
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-03-04s4:auth/sam.c - change base context for the "tmp_ctx" context in ↵Matthias Dieter Wallnöfer1-1/+1
"authsam_expand_nested_groups" Better use the "res_sids_ctx" as base context for the "tmp_ctx" and not the long-living "sam_ctx"/"ldb" context to prevent memory leaks.
2010-03-04s4:sam.c - make "authsam_expand_nested_groups" publicMatthias Dieter Wallnöfer1-1/+1
This is needed by the "tokenGroups" work in the operational LDB module.
2010-03-04s4:sam.c - cosmetic indentation fixMatthias Dieter Wallnöfer1-2/+1
2010-03-04s4:sam.c - change variable types to unsigned in "sids_contains_sid"Matthias Dieter Wallnöfer1-3/+4
Should also be unsigned - no need for a signed "i" and "num_sids" here.
2010-02-25s4:auth - make some parts "signed-safe"Matthias Dieter Wallnöfer1-3/+4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-02-22Spelling fixes for source4/auth.Brad Hards1-1/+1
The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above. Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-02-16s4-dsdb: removed gendb_search_single_extended_dn()Andrew Tridgell1-2/+3
Use dsdb_search_one() instead, which allows for arbitrary controls Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-29s4:auth_sam: avoid usage of data_blob_talloc_reference() and copy the ↵Stefan Metzmacher1-4/+14
session keys metze
2009-09-19s4-auth: add SID_NT_ENTERPRISE_DCS is a server trust accountAndrew Tridgell1-1/+13
2009-09-17s4-sam: add a note about the solaris clientAndrew Tridgell1-0/+2
2009-09-07s4:sam - Implement also here the right primary group behaviourMatthias Dieter Wallnöfer1-46/+71
We have not only to expand the additional groups but *also* the primary group to gain all rights of a user account. Also, remove an unneeded context (tmp_ctx) and "talloc_steal".
2009-08-04s4: Change my nested groups patch to don't include user's SID itself in the ↵Matthias Dieter Wallnöfer1-17/+24
"groupSID"s structure
2009-08-03Return infinite time for last last logoff when last logoff = 0Matthieu Patou1-1/+1
2009-07-31s4:auth: make sure we have elements returned at all in ↵Stefan Metzmacher1-0/+6
authsam_expand_nested_groups() metze
2009-07-31s4: Patch to implement nested group and privilegesMatthias Dieter Wallnöfer1-34/+100
This patch adds a function "authsam_expand_nested_groups" (calculation of rights through expanding groups of a certain SID) which basically collects all memberships through "memberOf" attributes. It works with either user or group SIDs. For avoiding loops it tests on each call if the SID hasn't been added yet (through the helper function "sids_contains_sid"). The function itself is called by "authsam_make_server_info".
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-2/+4
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-17s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett1-15/+27
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-06-18Remove unused variableAndrew Bartlett1-3/+0
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-5/+6
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-37/+47
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-26use domain_dn not ncnameAndrew Tridgell1-3/+2
fixed up from previous patch that removed the use of crossref records
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-33/+16
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett1-45/+0
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-1/+1
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-5/+7
metze
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-2/+4
should in the future only contain some settings required for gensec.
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij1-0/+1
remove some unused functions.
2008-10-12Use common strlist implementation in Samba 3 and Samba 4.Jelmer Vernooij1-1/+1
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-1/+2
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-1/+1
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-03-25Remove useless extra argument to samdb_result_account_expires().Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit bc607c334ff86624b891886a6f874da2bcff113e)
2008-03-07Update account expiration to use new samdb_result_account_expires() function.Andrew Kroeger1-2/+2
(This used to be commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4)
2008-02-29Simplify the 'password must change' logicAndrew Bartlett1-5/+6
This takes the previous patches further, so we catch all the cases (the KDC looked at the time directly). Andrew Bartlett (This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf)
2008-02-28Generate ACB_PW_EXPIRED correctlyAndrew Bartlett1-17/+19
More correctly handle expired passwords, and do not expire machine accounts. Test that the behaviour is consistant with windows, using the RPC-SAMR test. Change NETLOGON to directly query the userAccountControl, just because we don't want to do the extra expiry processing here. Andrew Bartlett (This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-1/+1
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26250: Avoid global_loadparm in a couple more places.Jelmer Vernooij1-8/+12
(This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij1-1/+1
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+2
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-10-10r25552: Convert to standard bool type.Jelmer Vernooij1-9/+9
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-1/+1
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r24074: Test both permitted logon hours and permitted workstations in theAndrew Bartlett1-2/+1
RPC-SAMLOGON test. This showed that, as noted by bug #4823, we didn't test for invalid workstations. In fact, the code had been ported across, but because untested code is broken code, it never worked... Andrew Bartlett (This used to be commit 5e07417ada56d189a911ef888b0c87adebe60763)
2007-10-10r24061: Anther part of bug #4823, which is that until now Samba4 didn't parseAndrew Bartlett1-1/+67
the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)