Age | Commit message (Collapse) | Author | Files | Lines |
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.
Andrew Bartlett
|
|
|
|
|
|
This isn't needed any more, and just introduces complexity.
|
|
There isn't a good reason why this code is duplicated.
Andrew Bartlett
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
|
|
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
libcli/auth Use true and false rather than True and False in common code
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
this gets replaced by vnum from the build rule
|
|
This changes the talloc treatment of the session keys to avoid
memory duplication - the session key has always been allocated
onto the ntlmssp_context by the auth subsystem callback.
The remainder of the changes are cosmetics, such as avoiding
using lm_session_key as a pointer (and avoiding then doing an
if statement on something that is always true).
Andrew Bartlett
|
|
By re-adding this wrapper, the actual guts of these functions are now very
similar to that found in source3/libsmb/ntlmssp.c
This should make it easier to merge the implementations.
Andrew Bartlett
|
|
While it would save some CPU to only setup the session key when
requested (like windows does), this instead matches the
implementation in source3/libsmb/ntlmssp.c
We could re-add this later after the codebase is merged.
Andrew Bartlett
|
|
This does not change behaviour, and some of the whitespace isn't ideal, but
at the moment making this code more similar, even in cosmetics, will assist
later merge efforts.
Andrew Bartlett
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
It seems that because the flag is false, this always used the supplied credentials
rhather than establish anonymous connection.
|
|
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
not available in the DN."
This reverts commit fa9557fee3ca546878d99b77f1ff37f724c37024.
See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
|
|
The KDC needs this to determine what encryption types an entry supports
Andrew Bartlett
|
|
This will allow us to interpret this attibute broadly in Samba.
Andrew Bartlett
|
|
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
|
|
We can save one search operation if "only_childs" is false and when we had no
SID passed as extended DN component.
|
|
|
|
possible
And always catch LDB errors
|
|
available in the DN.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
To have the same order as in the structure definition.
|
|
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
Andrew, please review!
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
setUp methods are called, fix formatting.
|
|
|
|
command-line options.
This is the first step towards supporting custom test runners.
|
|
The common code does not have a mem_ctx on ntlmssp_check_packet() and
ntlmssp_unseal_packet().
We do however need some internal working of the code exposed, so some
structures are moved to ntlmssp_sign.h
Andrew Bartlett
|
|
|
|
Use this as an excuse to get rid of ntlmssp_set_domain() etc, which
don't do anything useful now that msrpc_parse() use talloc anyway.
Andrew Bartlett
|
|
|
|
Otherwise it could remain uninitialised.
|
|
Jeremy.
|
|
|
|
The previous commit didn't include these vital fixes.
Andrew Bartlett
|
|
We previously segfaulted if this was not the case.
Andrew Bartlett
|
|
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add. So, we can't short-circuit the operation just because we found
the domain group.
Andrew Bartlett
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
If we don't use the winbind backend, we don't (for now) need a
messaging context- and we don't have one in LDB at the moment.
Andrew Bartlett
|
|
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
|