summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2009-09-09Added "admin_session" method.Nadezhda Ivanova3-0/+218
The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-07s4:sam - Implement also here the right primary group behaviourMatthias Dieter Wallnöfer1-46/+71
We have not only to expand the additional groups but *also* the primary group to gain all rights of a user account. Also, remove an unneeded context (tmp_ctx) and "talloc_steal".
2009-08-28s4: include ntlmssp header in auth/ntlmssp/ntlmssp.h.Günther Deschner1-0/+1
Guenther
2009-08-28s4-ntlmssp: use interface constants in TargetInfo blob.Günther Deschner1-5/+5
Guenther
2009-08-28s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants.Günther Deschner5-50/+21
Guenther
2009-08-27s4-schannel: add ldb suffix to schannel functions.Günther Deschner1-2/+2
Guenther
2009-08-21s4:kerberos Use MIT compatible names for these enc typesAndrew Bartlett1-1/+1
This is a small start on (ie, the only trivial part of) the work shown in: http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences (a table of all Kerberos symbols used in Samba4, and notes on where they differ from those provided with MIT Kerberos) Andrew Bartlett
2009-08-05added a uid_wrapper libraryAndrew Tridgell1-1/+1
This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling
2009-08-04s4: Change my nested groups patch to don't include user's SID itself in the ↵Matthias Dieter Wallnöfer1-17/+24
"groupSID"s structure
2009-08-03Return infinite time for last last logoff when last logoff = 0Matthieu Patou2-2/+2
2009-07-31s4:auth: make sure we have elements returned at all in ↵Stefan Metzmacher1-0/+6
authsam_expand_nested_groups() metze
2009-07-31s4: Patch to implement nested group and privilegesMatthias Dieter Wallnöfer1-34/+100
This patch adds a function "authsam_expand_nested_groups" (calculation of rights through expanding groups of a certain SID) which basically collects all memberships through "memberOf" attributes. It works with either user or group SIDs. For avoiding loops it tests on each call if the SID hasn't been added yet (through the helper function "sids_contains_sid"). The function itself is called by "authsam_make_server_info".
2009-07-28s4:gensec/spnego: only generate the mechListMic when the server expects itStefan Metzmacher1-1/+2
This fixes the ntvfs.cifs tests. metze
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett2-3/+5
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-28s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett2-1/+148
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27Revert "s4:kerberos Add 'net export keytab' command for wireshark decryption"Stefan Metzmacher2-148/+1
This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f. This breaks the build... Andrew, please repush it, when it's fixed:-) metze
2009-07-27s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett2-1/+148
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-24s4:gensec_gssapi: pass the correct oid to the gssapi layer.Stefan Metzmacher1-4/+11
metze
2009-07-24s4:gensec/spengo: make sure we send the blob with the micListMech signature ↵Stefan Metzmacher1-1/+1
to the peer We should even do this if the submech has no more data to send. metze
2009-07-17s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett2-15/+29
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-07-16s4:gensec Rework gensec_krb5 mutual authentication defaultsAndrew Bartlett1-24/+28
When emulating Samba3 (which we do to ensure we don't break compatability), don't do mutual authentication by default, as it breaks the session key with AES and isn't what Samba3 does anyway. Andrew Bartlett
2009-07-16s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'Andrew Bartlett1-5/+15
This allows the older 'like Samba3' GENSEC krb5 implementation to work against Windows 2008. I'm using this to track down interop issues in this area. Andrew Bartlett
2009-07-08s4:auth/ntlmssp: let _unwrap fallback to seal if sign only doesn't workStefan Metzmacher1-6/+57
s4:auth/ntlmssp: let _unwrap fallback to seal if sign only doesn't work Windows always uses SEAL with NTLMSSP on LDAP connection even if not negotiated. metze
2009-07-07s4:auth It is easier to copy the session key than get talloc right.Andrew Bartlett1-4/+3
The session keys as supplied already have a reference on them, so stealing them creates challenges. For 16 bytes, it is just easier to be consistant and copy them. Andrew Bartlett
2009-07-01gensec_start now steals the auth_contextAndrew Tridgell1-1/+3
2009-07-01another case that should use py_talloc_referenceAndrew Tridgell1-1/+1
2009-07-01removed a redundent talloc_stealAndrew Tridgell1-2/+0
2009-07-01fixed the use of talloc_steal in ntlmssp_server Andrew Tridgell1-3/+2
The previous use of talloc_steal could cause a steal of a pointer that had references. This ensures that doesn't happen
2009-06-30Rework the kerberos-notes.txt in order and formatDon Davis1-0/+803
This reworks the notes file to be less stream-of-consciousness and more task for porting, with a very particular focus on a potential port of Samba4 to use MIT Kerberos. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-06-25s4 auth_winbind: Internally, info3 has utf8 buffers, not utf16 buffers.Kai Blin1-63/+16
Thanks to gd for the catch.
2009-06-25s4 auth_winbind: Don't allocate the rids for the info3 structure within the loopKai Blin1-4/+4
2009-06-25s4: Add libwbclient backend to auth_winbindKai Blin2-1/+216
2009-06-19Fixed some uninitialised variablesMatthias Dieter Wallnöfer1-5/+1
I tried hard to not change the program logic. Should fix bug #6439.
2009-06-18Remove unused variableAndrew Bartlett1-3/+0
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett3-7/+9
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-18s4:gensec Print GSSAPI error message when unable to find PACAndrew Bartlett1-1/+3
2009-06-17pycredentials: Raise MemoryError when unable to create objects.Jelmer Vernooij1-1/+6
2009-06-17pycredentials: Fix memory leak.Jelmer Vernooij1-1/+7
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett6-15/+27
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2009-06-10Clarify and expand the Kerberos notes made by Andrew Bartlett in 2005Donald T. Davis1-154/+448
Compiled with Andrew over a series of phone calls and gobby sessions, with the aim of documenting Kerberos requirements for Samba to us an alternate (ie, MIT) Kerberos library. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-06-10Remove copy of kerberos-notes.txt added in incorrect locationAndrew Bartlett1-760/+0
2009-06-10Clarify and expand the Kerberos notes made by Andrew Bartlett in 2005Donald T. Davis1-0/+760
Compiled with Andrew over a series of phone calls and gobby sessions with Andrew, with the aim of documenting Kerberos requirements for Samba to us an alternate (ie, MIT) Kerberos library. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell2-65/+66
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-06-02Fix more unresolved symbols.Jelmer Vernooij2-10/+1
2009-06-02python: Move helper functions for using param into a separate file ratherJelmer Vernooij2-2/+2
than linking against the python module.
2009-06-02Fix dependencies when using shared libraries.Jelmer Vernooij2-1/+2
2009-05-26use domain_dn not ncnameAndrew Tridgell1-3/+2
fixed up from previous patch that removed the use of crossref records
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett3-154/+47
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-25fixed interpretation of ACB_PWNOTREQAndrew Tridgell1-14/+0
This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
2009-04-19Remove unused headersAndrew Bartlett4-9/+2