Age | Commit message (Collapse) | Author | Files | Lines |
|
Andrew Bartlett
(This used to be commit 68bdbd732fc02ce5a8ef8eb0107459ff3b7eb723)
|
|
This patch prevents non-root and non-administrator users from running
the provision, upgrade and vampire pages. *I think* the rest of SWAT
is LDB operations, or otherwise authenticated, so we should now be
secure.
I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha.
Andrew Bartlett
(This used to be commit d61061052dc4711f886199e49bc303002c8f9b11)
|
|
split out the auth methods.
This caused all SWAT logins to fail, except when using local system
authentication.
Andrew Bartlett
(This used to be commit b5a9d507a37cd46bd325ff3118c08b4362f267f2)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
will now control the auth methods, but an override is still available,
ex:
auth methods:domain controller = <methods>
Andrew Bartlett
(This used to be commit b7e727186ed8eda6a68c873e089f655dc24fe8ae)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
|
|
smb ejs functions
metze
(This used to be commit 0397911b414518d54f6dba2a8c81a5872b90a034)
|
|
(This used to be commit c6d20c22454b87b4dea3527f0efcecd373679848)
|
|
This should give better behaviour in SWAT.
Fix authentication as Samba, rather than System, users in SWAT.
Andrew Bartlett
(This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
|
|
Login failed: Login Failed: Logon failure - please try again
In SWAT currently...
Andrew Bartlett
(This used to be commit 51eded818093320e7d6b9e95ad11fa21a81c3f93)
|
|
password'.
Andrew Bartlett
(This used to be commit e13cb0ab175069eb670c8b2f57379ababacfcce3)
|
|
main provision script a bit, as the argument list was getting out of
control. (It has been replaced in part with an object).
This also returns the session_info from the auth code into ejs.
We still need access control allowing only root to re-provision.
Andrew Bartlett
(This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
|
|
structure around, so the auth code knows where the request came from.
Andrew Bartlett
(This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
|
|
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
|
|
This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:
- SYSTEM and Administrators can read all.
- Users and anonymous cannot read passwords, can read everything else
- list of 'password' attributes is hard-coded
Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)
Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
|
|
Andrew Bartlett
(This used to be commit 2853ccfc8ad58c6af751e01487b8a9e7e68a01e7)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
logon_parameters for the auth subsystem.
Andrew Bartlett
(This used to be commit 767c5ca7bec3737d1261e209cd895d1300354f25)
|
|
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
|
|
(This used to be commit 6e3e964fb4529260c2fcb09b41eda1a100e690eb)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
(This used to be commit 57e6eb9c66ba539a593524d8cfd8836a840ac1ba)
|
|
but at least it now
tells us why
(This used to be commit 4afb16d7b24b1d1ed359048a89950924b363e44a)
|
|
except of popt help (-h) option (unexpected ?).
rafal
(This used to be commit 1990793b23d6198a85ce1bdf6ad43e12015db203)
|
|
user_info strcture in auth/
This moves it to a pattern much like that found in ntvfs, with
functions to migrate between PAIN, HASH and RESPONSE passwords.
Instead of make_user_info*() functions, we simply fill in the control
block in the callers, per recent dicussions on the lists. This
removed a lot of data copies as well as error paths, as we can grab
much of it with talloc.
Andrew Bartlett
(This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
|
|
(This used to be commit 8e788ae3094220e5ea195cdf85abb6763a834abd)
|
|
libjs/auth.js
- tried to make the ejs_userAuth() call work for the sam, not just for
unix auth. I didn't get this working. Andrew, when you get a chance
can you see what I'm doing wrong? I suspect its because we aren't
supplying a challenge, but a challenge doesn't really make sense in a
'is this username/password' correct call.
(This used to be commit 9e07c08a71908e99c2f44efc40a3249facd6850f)
|
|
upstream sources. This makes it much easier to keep it up to date.
I will separate out the mpr code into lib/appweb/mpr next
(This used to be commit 52db7a052baeb0f11361ed69b71cb790039e3cc9)
|
|
- added sys_unlink()
- added sys_file_load() and sys_file_save()
- use mprString() instead of mprCreateStringVar() to cope with NULL strings
- removed smbcalls_irpc.c as its not needed any more
- allow ldbAdd() and ldbModify() to take multiple ldif records
- added a sprintf() function to ejs. Quite complex, but very useful!
(This used to be commit 625628a3f6e78349d2240ebcc79081f350672070)
|
|
have the toString() and valueOf() default attributes
this allows all our returned objects to be used in logical expressions
(This used to be commit 570f071b1544b497d5f480b8ad50df097fe4c843)
|
|
- got rid of the one line ejs_returnlist()
(This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
|