summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2010-09-16libcli/auth/ntlmssp Be clear about talloc parents for session keysAndrew Bartlett1-0/+5
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-16s4-kerberos: obey the credentials setting for forwardable ticketsAndrew Tridgell3-27/+40
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16s4-pycredentials: expose forwardable setting via pythonAndrew Tridgell1-0/+16
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16s4-credentials: added ability to control forwardable attribute on krb5 ticketsAndrew Tridgell2-0/+24
with the latest bind9 nsupdate, we need to be able to control if the ticket we use is forwardable Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-auth: allow multiple active auth backendsAndrew Tridgell1-35/+43
when we are an RODC we need to be able to allow multiple auth backends to process a single auth request. First the sam backend will try to authenticate, using locally stored passwords. If this backend can't find local passwords then it will try the winbind backend and authenticate via a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-rodc: add a trigger message for REPL_SECRET to auth_samAndrew Tridgell1-0/+52
when an RODC tries to authenticate against an account and the account has no password information it needs to send a message to the drepl server to tell it to try and replicate the secret information from a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-14s4: Fix two typosVolker Lendecke1-2/+2
2010-09-11s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a headerAndrew Bartlett2-1/+3
2010-09-11s4-credentials: get all attributes in cli_credentials_set_secrets()Andrew Tridgell1-17/+1
This ensures we get whenChanged, which is needed by the s3 winbind code to ensure we don't repeatedly try to change the password
2010-09-03s4:auth_winbind: use irpc_binding_handle_by_name()Stefan Metzmacher2-8/+8
metze
2010-09-03s4:auth_winbind: remove unused winbind_samba3 backendStefan Metzmacher2-122/+1
This uses the winbind protocol directly, which needs to be avoided! metze
2010-09-03s4:auth_winbind: fix segfault in winbind_check_password_wbclient()Stefan Metzmacher1-1/+5
We should only look at err if WBC_ERR_AUTH_ERROR is returned. metze
2010-09-03s4:auth_winbind: fix compiler warningsStefan Metzmacher1-4/+11
metze
2010-09-02s4-auth: make the disabled acct messages a bit less verboseAndrew Tridgell1-6/+6
raise the debug level Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-27s4:credentials_krb5.c - quiet a Solaris warningMatthias Dieter Wallnöfer1-1/+2
2010-08-26s4:ntlm/auth.c - add a whitespace in a debug outputMatthias Dieter Wallnöfer1-1/+1
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-11/+15
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:auth Change {anonymous,system}_session to use common session_info generationAndrew Bartlett1-4/+4
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett
2010-08-18s4:auth Avoid doing database lookups for NT AUTHORITY usersAndrew Bartlett2-108/+122
2010-08-18s4:auth Remove system_session_anon() from python bindingsAndrew Bartlett4-56/+3
2010-08-18s4:auth Remove the system:anonymous parameter used for the LDAP backendAndrew Bartlett1-10/+4
This isn't needed any more, and just introduces complexity.
2010-08-18s4:auth Remove special case constructor for admin_session()Andrew Bartlett1-63/+13
There isn't a good reason why this code is duplicated. Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-10/+5
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-14s4:auth Move struct auth_usersupplied_info to a common locationAndrew Bartlett4-47/+6
This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
2010-08-10libcli/auth Make the source3/ implementation of the NTLMSSP server commonAndrew Bartlett1-520/+1
This means that the core logic (but not the initialisation) of the NTLMSSP server is in common, but uses different authentication backends. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10libcli/auth Move some source3/ NTLMSSP functions to the common code.Andrew Bartlett3-141/+6
libcli/auth Use true and false rather than True and False in common code Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-09s4-build: use @PACKAGE_VERSION@ in s4 pc.in filesAndrew Tridgell1-1/+1
this gets replaced by vnum from the build rule
2010-08-07s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layerAndrew Bartlett1-20/+21
This changes the talloc treatment of the session keys to avoid memory duplication - the session key has always been allocated onto the ntlmssp_context by the auth subsystem callback. The remainder of the changes are cosmetics, such as avoiding using lm_session_key as a pointer (and avoiding then doing an if statement on something that is always true). Andrew Bartlett
2010-08-07s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/Andrew Bartlett2-20/+54
By re-adding this wrapper, the actual guts of these functions are now very similar to that found in source3/libsmb/ntlmssp.c This should make it easier to merge the implementations. Andrew Bartlett
2010-08-07s4:ntlmssp Always setup the session keys and signing stateAndrew Bartlett1-9/+1
While it would save some CPU to only setup the session key when requested (like windows does), this instead matches the implementation in source3/libsmb/ntlmssp.c We could re-add this later after the codebase is merged. Andrew Bartlett
2010-08-06s4:ntlmssp Adjust Samba4 ntlmssp code to look more like the code in Samba3.Andrew Bartlett2-71/+119
This does not change behaviour, and some of the whitespace isn't ideal, but at the moment making this code more similar, even in cosmetics, will assist later merge efforts. Andrew Bartlett
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell22-88/+88
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-14Fixed system_session_anon to actually make an anonymous sessionNadezhda Ivanova1-1/+1
It seems that because the flag is false, this always used the supplied credentials rhather than establish anonymous connection.
2010-06-30s4:auth/session.c - suppress a warning when freeing "group_string"Matthias Dieter Wallnöfer1-3/+5
2010-06-30s4:auth/session.c - free "group_string" when not neededAnatoliy Atanasov1-1/+1
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-29Revert "s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if ↵Matthias Dieter Wallnöfer1-21/+4
not available in the DN." This reverts commit fa9557fee3ca546878d99b77f1ff37f724c37024. See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDCAndrew Bartlett1-0/+1
The KDC needs this to determine what encryption types an entry supports Andrew Bartlett
2010-06-29s4:kerberos Add functions to convert msDS-SupportedEncryptionTypesAndrew Bartlett2-0/+60
This will allow us to interpret this attibute broadly in Samba. Andrew Bartlett
2010-06-29s4:provision Add an msDS-SupportedEncryptionTypes entry to our DCAndrew Bartlett1-0/+3
This ensures that our DC will use all the available encyption types. (The KDC reads this entry to determine what the server supports) Andrew Bartlett
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvementMatthias Dieter Wallnöfer1-3/+7
We can save one search operation if "only_childs" is false and when we had no SID passed as extended DN component.
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/commentsMatthias Dieter Wallnöfer1-9/+11
2010-06-28s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where ↵Matthias Dieter Wallnöfer1-3/+11
possible And always catch LDB errors
2010-06-28s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not ↵Endi S. Dewata1-1/+8
available in the DN. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-24s4:auth/gensec/gensec_gssapi.c - reorder constructorMatthias Dieter Wallnöfer1-30/+38
To have the same order as in the structure definition.
2010-06-24s4-python: python is not always in /usr/binAndrew Tridgell3-3/+3
Using "#!/usr/bin/env python" is more portable. It still isn't ideal though, as we should really use the python path found at configure time. We do that in many places already, but some don't. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-20Revert "Add old functionality back which was removed in commit 589a42e2."Wilco Baan Hofman2-21/+2
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f. Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20Add old functionality back which was removed in commit 589a42e2.Wilco Baan Hofman2-2/+21
Andrew, please review! Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-19python: Use samba.tests.TestCase, make sure base class tearDown andJelmer Vernooij3-8/+11
setUp methods are called, fix formatting.
2010-06-15ldb: Only build standard ldb modules when building bundled ldb.Jelmer Vernooij1-1/+1
2010-06-13s4-test: Use smb.conf path set in environment rather than usingJelmer Vernooij1-2/+2
command-line options. This is the first step towards supporting custom test runners.