summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2010-08-07s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layerAndrew Bartlett1-20/+21
This changes the talloc treatment of the session keys to avoid memory duplication - the session key has always been allocated onto the ntlmssp_context by the auth subsystem callback. The remainder of the changes are cosmetics, such as avoiding using lm_session_key as a pointer (and avoiding then doing an if statement on something that is always true). Andrew Bartlett
2010-08-07s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/Andrew Bartlett2-20/+54
By re-adding this wrapper, the actual guts of these functions are now very similar to that found in source3/libsmb/ntlmssp.c This should make it easier to merge the implementations. Andrew Bartlett
2010-08-07s4:ntlmssp Always setup the session keys and signing stateAndrew Bartlett1-9/+1
While it would save some CPU to only setup the session key when requested (like windows does), this instead matches the implementation in source3/libsmb/ntlmssp.c We could re-add this later after the codebase is merged. Andrew Bartlett
2010-08-06s4:ntlmssp Adjust Samba4 ntlmssp code to look more like the code in Samba3.Andrew Bartlett2-71/+119
This does not change behaviour, and some of the whitespace isn't ideal, but at the moment making this code more similar, even in cosmetics, will assist later merge efforts. Andrew Bartlett
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell22-88/+88
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-14Fixed system_session_anon to actually make an anonymous sessionNadezhda Ivanova1-1/+1
It seems that because the flag is false, this always used the supplied credentials rhather than establish anonymous connection.
2010-06-30s4:auth/session.c - suppress a warning when freeing "group_string"Matthias Dieter Wallnöfer1-3/+5
2010-06-30s4:auth/session.c - free "group_string" when not neededAnatoliy Atanasov1-1/+1
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-29Revert "s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if ↵Matthias Dieter Wallnöfer1-21/+4
not available in the DN." This reverts commit fa9557fee3ca546878d99b77f1ff37f724c37024. See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDCAndrew Bartlett1-0/+1
The KDC needs this to determine what encryption types an entry supports Andrew Bartlett
2010-06-29s4:kerberos Add functions to convert msDS-SupportedEncryptionTypesAndrew Bartlett2-0/+60
This will allow us to interpret this attibute broadly in Samba. Andrew Bartlett
2010-06-29s4:provision Add an msDS-SupportedEncryptionTypes entry to our DCAndrew Bartlett1-0/+3
This ensures that our DC will use all the available encyption types. (The KDC reads this entry to determine what the server supports) Andrew Bartlett
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvementMatthias Dieter Wallnöfer1-3/+7
We can save one search operation if "only_childs" is false and when we had no SID passed as extended DN component.
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/commentsMatthias Dieter Wallnöfer1-9/+11
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where ↵Matthias Dieter Wallnöfer1-3/+11
possible And always catch LDB errors
2010-06-28s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not ↵Endi S. Dewata1-1/+8
available in the DN. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-24s4:auth/gensec/gensec_gssapi.c - reorder constructorMatthias Dieter Wallnöfer1-30/+38
To have the same order as in the structure definition.
2010-06-24s4-python: python is not always in /usr/binAndrew Tridgell3-3/+3
Using "#!/usr/bin/env python" is more portable. It still isn't ideal though, as we should really use the python path found at configure time. We do that in many places already, but some don't. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-20Revert "Add old functionality back which was removed in commit 589a42e2."Wilco Baan Hofman2-21/+2
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f. Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20Add old functionality back which was removed in commit 589a42e2.Wilco Baan Hofman2-2/+21
Andrew, please review! Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-19python: Use samba.tests.TestCase, make sure base class tearDown andJelmer Vernooij3-8/+11
setUp methods are called, fix formatting.
2010-06-15ldb: Only build standard ldb modules when building bundled ldb.Jelmer Vernooij1-1/+1
2010-06-13s4-test: Use smb.conf path set in environment rather than usingJelmer Vernooij1-2/+2
command-line options. This is the first step towards supporting custom test runners.
2010-06-01s4:ntlmssp Use common code for ntlmssp_sign.cAndrew Bartlett2-508/+2
The common code does not have a mem_ctx on ntlmssp_check_packet() and ntlmssp_unseal_packet(). We do however need some internal working of the code exposed, so some structures are moved to ntlmssp_sign.h Andrew Bartlett
2010-06-01s4:ntlmssp Use the new common ntlmssp.hAndrew Bartlett1-117/+1
2010-06-01s4:ntlmssp Merge ntlmssp structures with version from source3/Andrew Bartlett2-74/+21
Use this as an excuse to get rid of ntlmssp_set_domain() etc, which don't do anything useful now that msrpc_parse() use talloc anyway. Andrew Bartlett
2010-05-31ldb: Fix dependencies when building with system ldb.Jelmer Vernooij1-1/+1
2010-05-30s4:auth/credentials/credentials.c - initialise "password_last_changed_time"Matthias Dieter Wallnöfer1-0/+2
Otherwise it could remain uninitialised.
2010-05-24Add in support for the NTLMSSP version reply.Jeremy Allison2-4/+31
Jeremy.
2010-05-21s4:auth Remove un-needed headers.Andrew Bartlett5-9/+0
2010-05-21s4:auth Fix previous commit - segfault in determinging a user's groupsAndrew Bartlett1-5/+3
The previous commit didn't include these vital fixes. Andrew Bartlett
2010-05-21s4:auth Error out when a memberOf DN does not have a SIDAndrew Bartlett1-13/+8
We previously segfaulted if this was not the case. Andrew Bartlett
2010-05-20s4:auth handle addition of nested aliases of domain groups.Andrew Bartlett1-8/+8
The challenge here is that we are asked not to add the domain groups again, but we need to search inside them for any aliases that we need to add. So, we can't short-circuit the operation just because we found the domain group. Andrew Bartlett
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett6-12/+29
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Push check for messaging context into winbind backendAndrew Bartlett2-5/+5
If we don't use the winbind backend, we don't (for now) need a messaging context- and we don't have one in LDB at the moment. Andrew Bartlett
2010-05-20s4:auth Add dependency from the operational module onto authAndrew Bartlett4-7/+34
We had to split up the auth module into a module loaded by main deamon and a subsystem we manually init in the operational module. Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett5-41/+131
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett3-82/+255
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-05-18s3: Remove use of iconv_convenience.Jelmer Vernooij1-1/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij8-45/+15
2010-05-18s4:credentials Add in tracking of the password last set timeAndrew Bartlett3-1/+33
We perhaps need a more general API here, but for now extend the credentials API to return the password last changed time that the s3compat layer will need. Andrew Bartlett
2010-05-18s4:auth Make it clear to the callers the talloc lifetime.Andrew Bartlett1-0/+2
In other times, we might have used talloc_reference here, but this isn't used as much these days. Andrew Bartlett
2010-05-14s4:gensec expose gensec_set_target_principal for use outside GENSECAndrew Bartlett4-3/+8
This allows for the rare case where the caller knows the target principal. The check for lp_client_use_spnego_principal() is moved to the spengo code to make this work. Andrew Bartlett
2010-05-14s4:credentials Allow setting of an empty Kerberos CCACHEAndrew Bartlett1-18/+12
This allows us to tell the credentials code where we want the credentials put. Andrew Bartlett
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett8-41/+132
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-27s4:gensec Use a different form of 'name' in GSSAPI import_name()Andrew Bartlett1-3/+3
The idea here is to make it not dependent on the system's default realm. Andrew Bartlett
2010-04-27s4:kerberos Give a better error message than "Could not allocate memory"Andrew Bartlett1-3/+3
Andrew Bartlett
2010-04-20pytalloc: ensure talloc_ctx is directly after PyObject_HEADAndrew Tridgell1-1/+1
the talloc python interface for tp_alloc and tp_dealloc relies on a cast to a py_talloc_Object to find the talloc_ctx (see py_talloc_dealloc). This means we rely on the talloc_ctx for the object being directly after the PyObject_HEAD This fixes the talloc free with references bug in samba_dnsupdate The actual problem was the tp_alloc() call in PyCredentialCacheContainer_from_ccache_container() which used a cast from a py_talloc_Object to a PyCredentialCacheContainerObject. That case effectively changed the parent/child relationship between the talloc_ctx and the ccc ptr. This patch changes all the structures that follow this pattern to put the TALLOC_CTX directly after the PyObject_HEAD, to ensure that if anyone else decides to do a dangerous cast like this that it won't cause the same sort of subtle breakage. Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-19s4-python: PyErr_SetString() will crash on NULL stringsAndrew Tridgell1-1/+1
use nt_errstr() when no error available
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett13-40/+71
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett