summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2010-05-21s4:auth Remove un-needed headers.Andrew Bartlett5-9/+0
2010-05-21s4:auth Fix previous commit - segfault in determinging a user's groupsAndrew Bartlett1-5/+3
The previous commit didn't include these vital fixes. Andrew Bartlett
2010-05-21s4:auth Error out when a memberOf DN does not have a SIDAndrew Bartlett1-13/+8
We previously segfaulted if this was not the case. Andrew Bartlett
2010-05-20s4:auth handle addition of nested aliases of domain groups.Andrew Bartlett1-8/+8
The challenge here is that we are asked not to add the domain groups again, but we need to search inside them for any aliases that we need to add. So, we can't short-circuit the operation just because we found the domain group. Andrew Bartlett
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett6-12/+29
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Push check for messaging context into winbind backendAndrew Bartlett2-5/+5
If we don't use the winbind backend, we don't (for now) need a messaging context- and we don't have one in LDB at the moment. Andrew Bartlett
2010-05-20s4:auth Add dependency from the operational module onto authAndrew Bartlett4-7/+34
We had to split up the auth module into a module loaded by main deamon and a subsystem we manually init in the operational module. Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett5-41/+131
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett3-82/+255
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-05-18s3: Remove use of iconv_convenience.Jelmer Vernooij1-1/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij8-45/+15
2010-05-18s4:credentials Add in tracking of the password last set timeAndrew Bartlett3-1/+33
We perhaps need a more general API here, but for now extend the credentials API to return the password last changed time that the s3compat layer will need. Andrew Bartlett
2010-05-18s4:auth Make it clear to the callers the talloc lifetime.Andrew Bartlett1-0/+2
In other times, we might have used talloc_reference here, but this isn't used as much these days. Andrew Bartlett
2010-05-14s4:gensec expose gensec_set_target_principal for use outside GENSECAndrew Bartlett4-3/+8
This allows for the rare case where the caller knows the target principal. The check for lp_client_use_spnego_principal() is moved to the spengo code to make this work. Andrew Bartlett
2010-05-14s4:credentials Allow setting of an empty Kerberos CCACHEAndrew Bartlett1-18/+12
This allows us to tell the credentials code where we want the credentials put. Andrew Bartlett
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett8-41/+132
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-27s4:gensec Use a different form of 'name' in GSSAPI import_name()Andrew Bartlett1-3/+3
The idea here is to make it not dependent on the system's default realm. Andrew Bartlett
2010-04-27s4:kerberos Give a better error message than "Could not allocate memory"Andrew Bartlett1-3/+3
Andrew Bartlett
2010-04-20pytalloc: ensure talloc_ctx is directly after PyObject_HEADAndrew Tridgell1-1/+1
the talloc python interface for tp_alloc and tp_dealloc relies on a cast to a py_talloc_Object to find the talloc_ctx (see py_talloc_dealloc). This means we rely on the talloc_ctx for the object being directly after the PyObject_HEAD This fixes the talloc free with references bug in samba_dnsupdate The actual problem was the tp_alloc() call in PyCredentialCacheContainer_from_ccache_container() which used a cast from a py_talloc_Object to a PyCredentialCacheContainerObject. That case effectively changed the parent/child relationship between the talloc_ctx and the ccc ptr. This patch changes all the structures that follow this pattern to put the TALLOC_CTX directly after the PyObject_HEAD, to ensure that if anyone else decides to do a dangerous cast like this that it won't cause the same sort of subtle breakage. Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-19s4-python: PyErr_SetString() will crash on NULL stringsAndrew Tridgell1-1/+1
use nt_errstr() when no error available
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett13-40/+71
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-14s4:auth Allow the simple 'struct auth_session_info' generator for all usersAndrew Bartlett1-3/+3
This code isn't ideal, but it is better than needing to consult the main SamDB in things like a torture test. Andrew Bartlett
2010-04-12s4:auth/auth_sam_reply.c - fix counter typesMatthias Dieter Wallnöfer1-3/+3
2010-04-12lib/replace/wscript: inline LIBREPLACE_EXT into 'replace' as the autoconf ↵Stefan Metzmacher1-1/+1
system does metze
2010-04-11s4:auth Remove event context from anonymous_session()Andrew Bartlett4-120/+117
This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-10s4:credentials Add the functions needed to do S4U2Self with cli_credentialsAndrew Bartlett6-50/+208
A torture test to demonstrate will be added soon. Andrew Bartlett
2010-04-10s4:credentials talloc_free() any previous salt_principalAndrew Bartlett2-1/+2
This isn't used often, but it is generally better not to leak it onto what may be a longer-term context. Andrew Bartlett
2010-04-08pynet: Create a net class.Jelmer Vernooij3-10/+22
2010-04-06s4:auth/ntlm/auth_developer.c - "fixed_challenge_get_challenge" - fix the ↵Matthias Dieter Wallnöfer1-5/+2
assignment of the challenge This is a string buffer and not a DATA_BLOB.
2010-04-06s4-python: Move set_session_info to PySambaLdb.Jelmer Vernooij2-2/+2
2010-04-06s4-waf: move to a universal method of recursing into subdirsAndrew Tridgell1-5/+5
This works with both standalone lib builds and bundled builds
2010-04-06s4-waf: removed the AUTOGENERATED markersAndrew Tridgell4-15/+0
we won't be using the mk -> wscript generator again
2010-04-06s4-waf: more dependencies on tallocAndrew Tridgell2-1/+3
these are needed so we can support a system talloc without using the bundled talloc.h
2010-04-06s4-waf: fixed some deps now we don't auto-include tevent and replaceAndrew Tridgell1-1/+1
this is preparation for being able to use system versions of these libraries
2010-04-06s4-waf: mark the wscript files as python so vim/emacs knows how to highlight ↵Andrew Tridgell7-0/+14
them
2010-04-06s4-waf: enable the pc_files in the build rulesAndrew Tridgell1-1/+1
2010-04-06s4-waf: install the rest of the headersAndrew Tridgell1-0/+1
2010-04-06s4-waf: remove the need for some of the lib aliasesAndrew Tridgell1-1/+1
2010-04-06build: check libc first for several librariesAndrew Tridgell1-1/+1
2010-04-06build: fixed the build without sasl librariesAndrew Tridgell2-4/+5
We need to only enable the cyrus_sasl module if we have sasl/sasl.h
2010-04-06build: waf quicktest nearly worksAndrew Tridgell4-12/+4
Rewrote wafsamba using a new dependency handling system, and started adding the waf test code
2010-04-06build: commit all the waf build files in the treeAndrew Tridgell6-0/+223
2010-04-06build: check for libsasl2Andrew Tridgell1-0/+4
2010-04-06build: check for pamAndrew Tridgell1-0/+2
2010-04-05Revert "s4:gensec_gssapi.c - make sure that "GSS_C_DELEG_POLICY_FLAG" is ↵Matthias Dieter Wallnöfer1-5/+0
available" This reverts commit 3e091a82167f51b7d9abf00755bede9354932c6b. This should be fixed through the new build system when it lands in "master".
2010-04-04s4-python: Remove convenience macro PyErr_SetStringError.Jelmer Vernooij1-1/+1
This macro assumed that all errors were runtime errors.
2010-03-30s4:gensec_gssapi.c - make sure that "GSS_C_DELEG_POLICY_FLAG" is availableMatthias Dieter Wallnöfer1-0/+5
FreeBSD 7.2 needs this.
2010-03-29pytalloc: allow for using a system libtalloc-dev with pytallocAndrew Tridgell3-3/+3
When we have a system talloc library, we still need to grab pytalloc.h from lib/talloc. We don't want to just use -Ilib/talloc, as otherwise we'll get the in-tree talloc.h which may not be compatible with the system talloc.h So we need to give the path to pytalloc.h
2010-03-26s4:auth/credentials/credentials.c - initialise more contentMatthias Dieter Wallnöfer1-0/+3
Now all data should be initialised
2010-03-26libutil: moved the networking defines to util_net.hAndrew Tridgell2-0/+2
These were causing thousands of warnings on solaris8