From 986372901e85a79343ba32f590a4a3e7658d2565 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Aug 2001 13:09:23 +0000 Subject: This is my 'Authentication Rewrite' version 1.01, mostly as submitted to samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42) --- source3/include/auth.h | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 source3/include/auth.h (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h new file mode 100644 index 0000000000..b81f80eca5 --- /dev/null +++ b/source3/include/auth.h @@ -0,0 +1,95 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2 + Standardised Authentication types + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* AUTH_STR - string */ +typedef struct normal_string +{ + int len; + char *str; +} AUTH_STR; + +/* AUTH_UNISTR - unicode string or buffer */ +typedef struct unicode_string +{ + int len; + uchar *unistr; +} AUTH_UNISTR; + +/* AUTH_BUFFER - 8-bit byte buffer */ +typedef struct auth_buffer +{ + int len; + uint8 *buffer; +} AUTH_BUFFER; + +typedef struct net_password +{ + AUTH_BUFFER lm_resp; + AUTH_BUFFER nt_resp; +} auth_net_password; + +typedef struct interactive_password +{ + OWF_INFO lm_owf; /* LM OWF Password */ + OWF_INFO nt_owf; /* NT OWF Password */ +} auth_interactive_password; + +typedef struct plaintext_password +{ + AUTH_STR password; +} auth_plaintext_password; + +typedef struct usersupplied_info +{ + + AUTH_BUFFER lm_resp; + AUTH_BUFFER nt_resp; + auth_interactive_password * interactive_password; + AUTH_STR plaintext_password; + + uint8 chal[8]; + + AUTH_STR requested_domain; /* domain name unicode string */ + AUTH_STR domain; /* domain name after mapping */ + AUTH_STR requested_username; + AUTH_STR smb_username; /* user name unicode string (after mapping) */ + AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + +} auth_usersupplied_info; + +typedef struct serversupplied_info +{ + AUTH_STR full_name; + AUTH_STR unix_user; + + BOOL guest; + + uid_t unix_uid; + gid_t unix_gid; + + /* This groups info is needed for when we become_user() for this uid */ + int n_groups; + gid_t *groups; + + uchar session_key[16]; + +} auth_serversupplied_info; + -- cgit From 5b33eaeddec687da18720ac55e92d7b1c493b75c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 3 Aug 2001 17:28:18 +0000 Subject: Added include guards... We may need to rename this file smbauth.h, as auth.h is so generic it will probably conflict with system header files on some systems. Jeremy. (This used to be commit dd4a6edd497053f4e393216884d356975efef799) --- source3/include/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index b81f80eca5..2c761f57a1 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -1,3 +1,5 @@ +#ifndef _SMBAUTH_H_ +#define _SMBAUTH_H_ /* Unix SMB/Netbios implementation. Version 2.2 @@ -93,3 +95,4 @@ typedef struct serversupplied_info } auth_serversupplied_info; +#endif /* _SMBAUTH_H_ */ -- cgit From 6ad80352dd2523c310258de3211a2af0f1763d2a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Aug 2001 11:19:57 +0000 Subject: This patch does a number of things, mostly smaller than they look :-) In particuar, it moves the domain_client_validate stuff out of auth_domain.c to somwhere where they (I hope) they can be shared with winbind better. (This may need some work) The main purpose of this patch was however to improve some of the internal documentation and to correctly place become_root()/unbecome_root() calls within the code. Finally this patch moves some more of auth.c into other files, auth_unix.c in this case. Andrew Bartlett (This used to be commit ea1c547ac880def29f150de2172c95213509350e) --- source3/include/auth.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 2c761f57a1..028f8303da 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -69,10 +69,10 @@ typedef struct usersupplied_info uint8 chal[8]; - AUTH_STR requested_domain; /* domain name unicode string */ + AUTH_STR requested_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ AUTH_STR requested_username; - AUTH_STR smb_username; /* user name unicode string (after mapping) */ + AUTH_STR smb_username; /* user name string (after mapping) */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ } auth_usersupplied_info; -- cgit From b800a36b1c81fb37ca963acdc49978ff065fb0d7 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 12 Sep 2001 06:39:50 +0000 Subject: Some patches to authentication: - the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547) --- source3/include/auth.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 028f8303da..91230e4b6e 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -71,8 +71,8 @@ typedef struct usersupplied_info AUTH_STR requested_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ - AUTH_STR requested_username; - AUTH_STR smb_username; /* user name string (after mapping) */ + AUTH_STR unix_username; /* username after mapping */ + AUTH_STR smb_username; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ } auth_usersupplied_info; -- cgit From 6f0b8a38ec036a0027e9f938834e241b41db40c5 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 31 Oct 2001 06:20:58 +0000 Subject: Added some extra fields to the auth_serversupplied_info structure. To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d) --- source3/include/auth.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 91230e4b6e..9e99600e98 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -90,6 +90,11 @@ typedef struct serversupplied_info /* This groups info is needed for when we become_user() for this uid */ int n_groups; gid_t *groups; + + /* NT group information taken from the info3 structure */ + + int n_rids; + uint32 *group_rids; uchar session_key[16]; -- cgit From 60f0627afb167faad57385d44f0b587186a7ac2b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 10:46:25 +0000 Subject: This is a farily large patch (3300 lines) and reworks most of the AuthRewrite code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c) --- source3/include/auth.h | 53 +++++++++++++++++++++----------------------------- 1 file changed, 22 insertions(+), 31 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 9e99600e98..427cb8b489 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -35,58 +35,44 @@ typedef struct unicode_string uchar *unistr; } AUTH_UNISTR; -/* AUTH_BUFFER - 8-bit byte buffer */ -typedef struct auth_buffer -{ - int len; - uint8 *buffer; -} AUTH_BUFFER; - -typedef struct net_password -{ - AUTH_BUFFER lm_resp; - AUTH_BUFFER nt_resp; -} auth_net_password; - typedef struct interactive_password { OWF_INFO lm_owf; /* LM OWF Password */ OWF_INFO nt_owf; /* NT OWF Password */ } auth_interactive_password; -typedef struct plaintext_password -{ - AUTH_STR password; -} auth_plaintext_password; - typedef struct usersupplied_info { - AUTH_BUFFER lm_resp; - AUTH_BUFFER nt_resp; + DATA_BLOB lm_resp; + DATA_BLOB nt_resp; auth_interactive_password * interactive_password; - AUTH_STR plaintext_password; + DATA_BLOB plaintext_password; - uint8 chal[8]; + BOOL encrypted; + + uint32 ntlmssp_flags; + + DATA_BLOB sec_blob; - AUTH_STR requested_domain; /* domain name string */ + AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ - AUTH_STR unix_username; /* username after mapping */ - AUTH_STR smb_username; /* username before mapping */ + AUTH_STR internal_username; /* username after mapping */ + AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ } auth_usersupplied_info; +#define SAM_FILL_NAME 0x01 +#define SAM_FILL_INFO3 0x02 +#define SAM_FILL_SAM 0x04 +#define SAM_FILL_UNIX 0x08 +#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) + typedef struct serversupplied_info { - AUTH_STR full_name; - AUTH_STR unix_user; - BOOL guest; - uid_t unix_uid; - gid_t unix_gid; - /* This groups info is needed for when we become_user() for this uid */ int n_groups; gid_t *groups; @@ -98,6 +84,11 @@ typedef struct serversupplied_info uchar session_key[16]; + uint8 first_8_lm_hash[8]; + + uint32 sam_fill_level; /* How far is this structure filled? */ + + SAM_ACCOUNT *sam_account; } auth_serversupplied_info; #endif /* _SMBAUTH_H_ */ -- cgit From f8e2baf39eb864481dd48f61404136b325cd73c2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2001 23:34:24 +0000 Subject: Added NT_USER_TOKEN into server_info to fix extra groups problem. Got "medieval on our ass" about const warnings (as many as I could :-). Jeremy. (This used to be commit ee5e7ca547eff016818ba5c43b8ea0c9fa69b808) --- source3/include/auth.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 427cb8b489..04c5aa55e5 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -77,10 +77,9 @@ typedef struct serversupplied_info int n_groups; gid_t *groups; - /* NT group information taken from the info3 structure */ + /* NT group information taken from the info3 structure */ - int n_rids; - uint32 *group_rids; + NT_USER_TOKEN *ptok; uchar session_key[16]; -- cgit From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/include/auth.h | 54 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 6 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 04c5aa55e5..e33ccc2e24 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -53,8 +53,6 @@ typedef struct usersupplied_info uint32 ntlmssp_flags; - DATA_BLOB sec_blob; - AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ AUTH_STR internal_username; /* username after mapping */ @@ -69,16 +67,16 @@ typedef struct usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct serversupplied_info +typedef struct serversupplied_info { BOOL guest; /* This groups info is needed for when we become_user() for this uid */ int n_groups; gid_t *groups; - + /* NT group information taken from the info3 structure */ - + NT_USER_TOKEN *ptok; uchar session_key[16]; @@ -86,8 +84,52 @@ typedef struct serversupplied_info uint8 first_8_lm_hash[8]; uint32 sam_fill_level; /* How far is this structure filled? */ - + SAM_ACCOUNT *sam_account; + + void *pam_handle; + } auth_serversupplied_info; +typedef struct authsupplied_info { + DATA_BLOB challange; + + /* Who set this up in the first place? */ + char *challange_set_by; \ + + struct auth_methods *challange_set_method; + /* What order are the various methods in? Try to stop it changing under us */ + struct auth_methods *auth_method_list; +} auth_authsupplied_info; + +typedef struct auth_methods +{ + struct auth_methods *prev, *next; + char *name; /* What name got this module */ + + NTSTATUS (*auth)(void *my_private_data, + const auth_usersupplied_info *user_info, + const struct authsupplied_info *auth_info, + auth_serversupplied_info **server_info); + + DATA_BLOB (*get_chal)(void **my_private_data, const struct authsupplied_info *auth_info); + + /* Used to keep tabs on things like the cli for SMB server authentication */ + void *private_data; + + /* Function to clean up the above arbitary structure */ + void (*free_private_data)(void **private_data); + + /* Function to send a keepalive message on the above structure */ + void (*send_keepalive)(void **private_data); + +} auth_methods; + +typedef struct auth_init_function { + char *name; + /* Function to create a member of the authmethods list */ + BOOL (*init)(struct auth_methods **auth_method); +} auth_init_function; + + #endif /* _SMBAUTH_H_ */ -- cgit From 178f6a64b26d828db6b516392d7072e9c29f6233 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 04:05:28 +0000 Subject: challange -> challenge (This used to be commit d6318add27f6bca5be00cbedf2226b642341297a) --- source3/include/auth.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index e33ccc2e24..270b8d388a 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -92,12 +92,12 @@ typedef struct serversupplied_info } auth_serversupplied_info; typedef struct authsupplied_info { - DATA_BLOB challange; + DATA_BLOB challenge; /* Who set this up in the first place? */ - char *challange_set_by; \ + char *challenge_set_by; \ - struct auth_methods *challange_set_method; + struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ struct auth_methods *auth_method_list; } auth_authsupplied_info; -- cgit From 4a6d1318bd9123f5a9c1d72721a9175320356fbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 03:10:32 +0000 Subject: A farily large commit: - Move rpc_client/cli_trust.c to smbd/change_trust_pw.c - It hasn't been used by anything else since smbpasswd lost its -j - Add a TALLOC_CTX to the auth subsytem. These are only valid for the length of the calls to the individual modules, if you want a longer context hide it in your private data. Similarly, all returns (like the server_info) should still be malloced. - Move the 'ntdomain' module (security=domain in oldspeak) over to use the new libsmb domain logon code. Also rework much of the code to use some better helper functions for the connection - getting us much better error returns (the new code is NTSTATUS). The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for the LUID feilds is sufficient, or if we should do random LUIDs as per the old code. Similarly, I'll move winbind over to this when I get a chance. This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in rpc_client, at least as far as smbd is concerned. While I've given this a basic rundown, any testing is as always appriciated. Andrew Bartlett (This used to be commit d870edce76ecca259230fbdbdacd0c86793b4837) --- source3/include/auth.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 270b8d388a..b823e7bf4b 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -95,7 +95,7 @@ typedef struct authsupplied_info { DATA_BLOB challenge; /* Who set this up in the first place? */ - char *challenge_set_by; \ + char *challenge_set_by; struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ @@ -108,11 +108,14 @@ typedef struct auth_methods char *name; /* What name got this module */ NTSTATUS (*auth)(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const struct authsupplied_info *auth_info, auth_serversupplied_info **server_info); - DATA_BLOB (*get_chal)(void **my_private_data, const struct authsupplied_info *auth_info); + DATA_BLOB (*get_chal)(void **my_private_data, + TALLOC_CTX *mem_ctx, + const struct authsupplied_info *auth_info); /* Used to keep tabs on things like the cli for SMB server authentication */ void *private_data; -- cgit From 2e28f8ff0e3bb50ac5b2742c7678c39cb65bcd95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jan 2002 04:55:41 +0000 Subject: I've decided to move the auth code around a bit more... The auth_authsupplied_info typedef is now just a plain struct - auth_context, but it has been modified to contain the function pointers to the rest of the auth subsystem's components. (Who needs non-static functions anyway?) In working all this mess out, I fixed a number of memory leaks and moved the entire auth subsystem over to talloc(). Note that the TALLOC_CTX attached to the auth_context can be rather long-lived, it is provided for things that are intended to live as long. (The global_negprot_auth_context lasts the whole life of the smbd). I've also adjusted a few things in auth_domain.c, mainly passing the domain as a paramater to a few functions instead of looking up lp_workgroup(). I'm hopign to make this entire thing a bit more trusted domains (as PDC) freindly in the near future. Other than that, I moved a bit of the code around, hence the rather messy diff. Andrew Bartlett (This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048) --- source3/include/auth.h | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index b823e7bf4b..fb48616273 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -41,7 +41,7 @@ typedef struct interactive_password OWF_INFO nt_owf; /* NT OWF Password */ } auth_interactive_password; -typedef struct usersupplied_info +typedef struct auth_usersupplied_info { DATA_BLOB lm_resp; @@ -67,7 +67,7 @@ typedef struct usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct serversupplied_info +typedef struct auth_serversupplied_info { BOOL guest; @@ -91,7 +91,7 @@ typedef struct serversupplied_info } auth_serversupplied_info; -typedef struct authsupplied_info { +struct auth_context { DATA_BLOB challenge; /* Who set this up in the first place? */ @@ -100,22 +100,30 @@ typedef struct authsupplied_info { struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ struct auth_methods *auth_method_list; -} auth_authsupplied_info; + + TALLOC_CTX *mem_ctx; + const uint8 *(*get_ntlm_challenge)(struct auth_context *auth_context); + NTSTATUS (*check_ntlm_password)(const struct auth_context *auth_context, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); + void (*free)(struct auth_context **auth_context); +}; typedef struct auth_methods { struct auth_methods *prev, *next; char *name; /* What name got this module */ - NTSTATUS (*auth)(void *my_private_data, + NTSTATUS (*auth)(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - const struct authsupplied_info *auth_info, + const struct auth_usersupplied_info *user_info, auth_serversupplied_info **server_info); - DATA_BLOB (*get_chal)(void **my_private_data, - TALLOC_CTX *mem_ctx, - const struct authsupplied_info *auth_info); + DATA_BLOB (*get_chal)(const struct auth_context *auth_context, + void **my_private_data, + TALLOC_CTX *mem_ctx); /* Used to keep tabs on things like the cli for SMB server authentication */ void *private_data; @@ -128,11 +136,11 @@ typedef struct auth_methods } auth_methods; -typedef struct auth_init_function { +struct auth_init_function { char *name; /* Function to create a member of the authmethods list */ - BOOL (*init)(struct auth_methods **auth_method); -} auth_init_function; + BOOL (*init)(struct auth_context *auth_context, struct auth_methods **auth_method); +}; #endif /* _SMBAUTH_H_ */ -- cgit From 5047a66d39fdd56a5895037de8c519a828a03b19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 05:29:09 +0000 Subject: Back out the crazy notion that the NTLMSSP flags actually mean anything... Replace this with some flags that *we* define. We can do a mapping later if we actually get some more reliable info about what passwords are actually valid. Andrew Bartlett (This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b) --- source3/include/auth.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index fb48616273..ed0a4e45f3 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -41,6 +41,12 @@ typedef struct interactive_password OWF_INFO nt_owf; /* NT OWF Password */ } auth_interactive_password; +#define AUTH_FLAG_NONE 0x000000 +#define AUTH_FLAG_PLAINTEXT 0x000001 +#define AUTH_FLAG_LM_RESP 0x000002 +#define AUTH_FLAG_NTLM_RESP 0x000004 +#define AUTH_FLAG_NTLMv2_RESP 0x000008 + typedef struct auth_usersupplied_info { @@ -51,7 +57,7 @@ typedef struct auth_usersupplied_info BOOL encrypted; - uint32 ntlmssp_flags; + uint32 auth_flags; AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ -- cgit From 32101155d4a0c80faf392f56a6baa7b91847dd99 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 13:26:31 +0000 Subject: Kill off another ugly wart from the side of the passdb subsystem. This time its the pdb_getsampwuid() function - which was only being used by the SAMR rpc subsystem to gain a 'user session key'. This 'user session key' is actually generated at login time, and the other changes here simply move that data around. This also means that (when I check some details) we will be able to use the user session key, even when we are not actually the DC, becouse its one of the components of the info3 struct returned on logon. Andrew Bartlett (This used to be commit 799ac01fe08a338e4e94289f5d6767ebf905c1fa) --- source3/include/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index ed0a4e45f3..a61576fd21 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -85,7 +85,7 @@ typedef struct auth_serversupplied_info NT_USER_TOKEN *ptok; - uchar session_key[16]; + uint8 session_key[16]; uint8 first_8_lm_hash[8]; -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/include/auth.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index a61576fd21..5c8bc8edfe 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -1,8 +1,7 @@ #ifndef _SMBAUTH_H_ #define _SMBAUTH_H_ /* - Unix SMB/Netbios implementation. - Version 2.2 + Unix SMB/CIFS implementation. Standardised Authentication types Copyright (C) Andrew Bartlett 2001 -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/include/auth.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 5c8bc8edfe..66b317d643 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -141,11 +141,12 @@ typedef struct auth_methods } auth_methods; -struct auth_init_function { +typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); + +struct auth_init_function_entry { char *name; /* Function to create a member of the authmethods list */ - BOOL (*init)(struct auth_context *auth_context, struct auth_methods **auth_method); -}; - + auth_init_function init; +}; #endif /* _SMBAUTH_H_ */ -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/include/auth.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 66b317d643..846662d17c 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -100,7 +100,7 @@ struct auth_context { DATA_BLOB challenge; /* Who set this up in the first place? */ - char *challenge_set_by; + const char *challenge_set_by; struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ @@ -118,7 +118,7 @@ struct auth_context { typedef struct auth_methods { struct auth_methods *prev, *next; - char *name; /* What name got this module */ + const char *name; /* What name got this module */ NTSTATUS (*auth)(const struct auth_context *auth_context, void *my_private_data, @@ -144,7 +144,7 @@ typedef struct auth_methods typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); struct auth_init_function_entry { - char *name; + const char *name; /* Function to create a member of the authmethods list */ auth_init_function init; -- cgit From 1cba0a757970ffd8b81d61c88965010968ab3eff Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Jan 2003 12:07:02 +0000 Subject: Merge from HEAD: - NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e) --- source3/include/auth.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 846662d17c..e37f181082 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -149,4 +149,13 @@ struct auth_init_function_entry { auth_init_function init; }; + +typedef struct auth_ntlmssp_state +{ + TALLOC_CTX *mem_ctx; + struct auth_context *auth_context; + struct auth_serversupplied_info *server_info; + struct ntlmssp_state *ntlmssp_state; +} AUTH_NTLMSSP_STATE; + #endif /* _SMBAUTH_H_ */ -- cgit From a8c95d79f83b4097ee20d5f3f1005c38ccf00186 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 16 Apr 2003 12:13:07 +0000 Subject: Add support for the new modules system to auth/ (merge from HEAD) (This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9) --- source3/include/auth.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index e37f181082..626b9f3ba0 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -148,6 +148,8 @@ struct auth_init_function_entry { /* Function to create a member of the authmethods list */ auth_init_function init; + + struct auth_init_function_entry *prev, *next; }; typedef struct auth_ntlmssp_state @@ -158,4 +160,6 @@ typedef struct auth_ntlmssp_state struct ntlmssp_state *ntlmssp_state; } AUTH_NTLMSSP_STATE; +#define AUTH_INTERFACE_VERSION 1 + #endif /* _SMBAUTH_H_ */ -- cgit From c823b191ab476fc2583d6d6aaa1e2edb09cbb88e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 12 May 2003 18:12:31 +0000 Subject: And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d) --- source3/include/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 626b9f3ba0..eb80e3c5b4 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -75,6 +75,9 @@ typedef struct auth_usersupplied_info typedef struct auth_serversupplied_info { BOOL guest; + + uid_t uid; + gid_t gid; /* This groups info is needed for when we become_user() for this uid */ int n_groups; -- cgit From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Jul 2003 14:36:42 +0000 Subject: This patch takes the work the jerry did for beta2, and generalises it: - The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec) --- source3/include/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index eb80e3c5b4..6b42418be8 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -96,6 +96,8 @@ typedef struct auth_serversupplied_info SAM_ACCOUNT *sam_account; void *pam_handle; + + char *unix_name; } auth_serversupplied_info; -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/include/auth.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 6b42418be8..ecf4d539d8 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -87,10 +87,9 @@ typedef struct auth_serversupplied_info NT_USER_TOKEN *ptok; - uint8 session_key[16]; + DATA_BLOB nt_session_key; + DATA_BLOB lm_session_key; - uint8 first_8_lm_hash[8]; - uint32 sam_fill_level; /* How far is this structure filled? */ SAM_ACCOUNT *sam_account; @@ -107,6 +106,8 @@ struct auth_context { /* Who set this up in the first place? */ const char *challenge_set_by; + BOOL challenge_may_be_modified; + struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ struct auth_methods *auth_method_list; -- cgit From c2ff214772ac1934731938b3804d37e514e45c32 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 3 Apr 2004 15:41:32 +0000 Subject: Fix most of bug #169. For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba) --- source3/include/auth.h | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index ecf4d539d8..8f52512e6a 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -27,37 +27,17 @@ typedef struct normal_string char *str; } AUTH_STR; -/* AUTH_UNISTR - unicode string or buffer */ -typedef struct unicode_string -{ - int len; - uchar *unistr; -} AUTH_UNISTR; - -typedef struct interactive_password -{ - OWF_INFO lm_owf; /* LM OWF Password */ - OWF_INFO nt_owf; /* NT OWF Password */ -} auth_interactive_password; - -#define AUTH_FLAG_NONE 0x000000 -#define AUTH_FLAG_PLAINTEXT 0x000001 -#define AUTH_FLAG_LM_RESP 0x000002 -#define AUTH_FLAG_NTLM_RESP 0x000004 -#define AUTH_FLAG_NTLMv2_RESP 0x000008 - typedef struct auth_usersupplied_info { DATA_BLOB lm_resp; DATA_BLOB nt_resp; - auth_interactive_password * interactive_password; + DATA_BLOB lm_interactive_pwd; + DATA_BLOB nt_interactive_pwd; DATA_BLOB plaintext_password; BOOL encrypted; - uint32 auth_flags; - AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ AUTH_STR internal_username; /* username after mapping */ -- cgit From d17425ed52b086b7046708a207e849271cedc804 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Apr 2004 08:11:16 +0000 Subject: r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e) --- source3/include/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 8f52512e6a..188cf58643 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -67,7 +67,7 @@ typedef struct auth_serversupplied_info NT_USER_TOKEN *ptok; - DATA_BLOB nt_session_key; + DATA_BLOB user_session_key; DATA_BLOB lm_session_key; uint32 sam_fill_level; /* How far is this structure filled? */ -- cgit From 2ea185b3ab6d7d0c3a7294577b4627d4ba7e00b1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jan 2005 02:58:31 +0000 Subject: r4976: Try to scare people off from trying to write authentication modules that only acheive as much as 'security=server' does. Andrew Bartlett (This used to be commit fb694f2b1a809d221f48f9b9b0e54e9512325bae) --- source3/include/auth.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 188cf58643..91751e7180 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -112,6 +112,10 @@ typedef struct auth_methods const struct auth_usersupplied_info *user_info, auth_serversupplied_info **server_info); + /* If you are using this interface, then you are probably + * getting something wrong. This interface is only for + * security=server, and makes a number of compromises to allow + * that. It is not compatible with being a PDC. */ DATA_BLOB (*get_chal)(const struct auth_context *auth_context, void **my_private_data, TALLOC_CTX *mem_ctx); -- cgit From e7c48884a5c7e1f88ce2decf7d12db338ff8995e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 13 Jul 2005 20:04:26 +0000 Subject: r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and login scripts to be executed. We were filling in our name as the server which processed the login, even when it was done by a trusted DC. Thanks to John Janosik for the fix. (This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c) --- source3/include/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 91751e7180..7282f4d38b 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -69,6 +69,8 @@ typedef struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; + + char *login_server; /* which server authorized the login? */ uint32 sam_fill_level; /* How far is this structure filled? */ -- cgit From fcceedd67c29bae6941949a16ebef37e95dab601 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Nov 2005 06:19:34 +0000 Subject: r11573: Adding Andrew Bartlett's patch to make machine account logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8) --- source3/include/auth.h | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 7282f4d38b..f3dae1108b 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -21,15 +21,12 @@ */ /* AUTH_STR - string */ -typedef struct normal_string -{ +typedef struct normal_string { int len; char *str; } AUTH_STR; -typedef struct auth_usersupplied_info -{ - +typedef struct auth_usersupplied_info { DATA_BLOB lm_resp; DATA_BLOB nt_resp; DATA_BLOB lm_interactive_pwd; @@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + uint32 logon_parameters; + } auth_usersupplied_info; #define SAM_FILL_NAME 0x01 @@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct auth_serversupplied_info -{ +typedef struct auth_serversupplied_info { BOOL guest; uid_t uid; @@ -144,14 +142,14 @@ struct auth_init_function_entry { struct auth_init_function_entry *prev, *next; }; -typedef struct auth_ntlmssp_state -{ +typedef struct auth_ntlmssp_state { TALLOC_CTX *mem_ctx; struct auth_context *auth_context; struct auth_serversupplied_info *server_info; struct ntlmssp_state *ntlmssp_state; } AUTH_NTLMSSP_STATE; -#define AUTH_INTERFACE_VERSION 1 +/* Changed from 1 -> 2 to add the logon_parameters field. */ +#define AUTH_INTERFACE_VERSION 2 #endif /* _SMBAUTH_H_ */ -- cgit From b3109006c5b273e5960d71b25787f23bf62ec17f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Jan 2006 23:19:31 +0000 Subject: r13095: Fix warnings assigning int to a size_t. Jeremy. (This used to be commit 1ca4abffd04bcc46b61acdc12444f3e2aad0afed) --- source3/include/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index f3dae1108b..03206c03c6 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -58,7 +58,7 @@ typedef struct auth_serversupplied_info { gid_t gid; /* This groups info is needed for when we become_user() for this uid */ - int n_groups; + size_t n_groups; gid_t *groups; /* NT group information taken from the info3 structure */ -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/include/auth.h | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 03206c03c6..79fbb93895 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -20,12 +20,6 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* AUTH_STR - string */ -typedef struct normal_string { - int len; - char *str; -} AUTH_STR; - typedef struct auth_usersupplied_info { DATA_BLOB lm_resp; DATA_BLOB nt_resp; @@ -35,25 +29,24 @@ typedef struct auth_usersupplied_info { BOOL encrypted; - AUTH_STR client_domain; /* domain name string */ - AUTH_STR domain; /* domain name after mapping */ - AUTH_STR internal_username; /* username after mapping */ - AUTH_STR smb_name; /* username before mapping */ - AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + char *client_domain; /* domain name string */ + char *domain; /* domain name after mapping */ + char *internal_username; /* username after mapping */ + char *smb_name; /* username before mapping */ + char *wksta_name; /* workstation name (netbios calling + * name) unicode string */ uint32 logon_parameters; } auth_usersupplied_info; -#define SAM_FILL_NAME 0x01 -#define SAM_FILL_INFO3 0x02 -#define SAM_FILL_SAM 0x04 -#define SAM_FILL_UNIX 0x08 -#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) - typedef struct auth_serversupplied_info { BOOL guest; + DOM_SID *sids; /* These SIDs are preliminary between + check_ntlm_password and the token creation. */ + size_t num_sids; + uid_t uid; gid_t gid; @@ -70,8 +63,6 @@ typedef struct auth_serversupplied_info { char *login_server; /* which server authorized the login? */ - uint32 sam_fill_level; /* How far is this structure filled? */ - SAM_ACCOUNT *sam_account; void *pam_handle; -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/include/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 79fbb93895..465892905a 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -63,7 +63,7 @@ typedef struct auth_serversupplied_info { char *login_server; /* which server authorized the login? */ - SAM_ACCOUNT *sam_account; + struct samu *sam_account; void *pam_handle; -- cgit From dc9f30b8b0ace8d6e2c8c0cbed537fde68d1556a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 19:24:35 +0000 Subject: r15475: Ugly and disgusting patch to fix the username map problem I created by changing the token generation. I *hate* this code! Jerry, you have been looking at this as well, can you double-check that I did not screw it up? Thanks, Volker (This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6) --- source3/include/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 465892905a..de75ff68f6 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -29,6 +29,7 @@ typedef struct auth_usersupplied_info { BOOL encrypted; + BOOL was_mapped; /* Did the username map actually match? */ char *client_domain; /* domain name string */ char *domain; /* domain name after mapping */ char *internal_username; /* username after mapping */ @@ -67,6 +68,7 @@ typedef struct auth_serversupplied_info { void *pam_handle; + BOOL was_mapped; /* Did the username map match? */ char *unix_name; } auth_serversupplied_info; -- cgit From c0e37a74963ae942ed48431bd2ea353ebad256ff Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 18 Mar 2007 11:24:10 +0000 Subject: r21870: Move sending auth_server keepalives out of the main loop into an idle event. Volker (This used to be commit 6226b30f38cd82531422815ba66a687aab50028d) --- source3/include/auth.h | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index de75ff68f6..4e7eb469ba 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -115,12 +115,6 @@ typedef struct auth_methods /* Used to keep tabs on things like the cli for SMB server authentication */ void *private_data; - - /* Function to clean up the above arbitary structure */ - void (*free_private_data)(void **private_data); - - /* Function to send a keepalive message on the above structure */ - void (*send_keepalive)(void **private_data); } auth_methods; -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/include/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 4e7eb469ba..1a202a3828 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/include/auth.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 1a202a3828..a58d150c51 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ typedef struct auth_usersupplied_info { -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/include/auth.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index a58d150c51..a7531b35cd 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -26,9 +26,9 @@ typedef struct auth_usersupplied_info { DATA_BLOB nt_interactive_pwd; DATA_BLOB plaintext_password; - BOOL encrypted; + bool encrypted; - BOOL was_mapped; /* Did the username map actually match? */ + bool was_mapped; /* Did the username map actually match? */ char *client_domain; /* domain name string */ char *domain; /* domain name after mapping */ char *internal_username; /* username after mapping */ @@ -41,7 +41,7 @@ typedef struct auth_usersupplied_info { } auth_usersupplied_info; typedef struct auth_serversupplied_info { - BOOL guest; + bool guest; DOM_SID *sids; /* These SIDs are preliminary between check_ntlm_password and the token creation. */ @@ -67,7 +67,7 @@ typedef struct auth_serversupplied_info { void *pam_handle; - BOOL was_mapped; /* Did the username map match? */ + bool was_mapped; /* Did the username map match? */ char *unix_name; } auth_serversupplied_info; @@ -78,7 +78,7 @@ struct auth_context { /* Who set this up in the first place? */ const char *challenge_set_by; - BOOL challenge_may_be_modified; + bool challenge_may_be_modified; struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ -- cgit From bec1dfab27be3db888eeb451b4547f16e08e93c3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Apr 2008 17:42:39 +0200 Subject: Remove "userdom_struct user" from "struct user_struct" (This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805) --- source3/include/auth.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index a7531b35cd..df2bed8756 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -69,7 +69,15 @@ typedef struct auth_serversupplied_info { bool was_mapped; /* Did the username map match? */ char *unix_name; - + + /* + * For performance reasons we keep an alpha_strcpy-sanitized version + * of the username around as long as the global variable current_user + * still exists. If we did not do keep this, we'd have to call + * alpha_strcpy whenever we do a become_user(), potentially on every + * smb request. See set_current_user_info. + */ + char *sanitized_username; } auth_serversupplied_info; struct auth_context { -- cgit From 64ddd381b74ca94e8ff8ae62d8f019a9b5290a80 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:37:00 +0200 Subject: Rename server_info->was_mapped to server_info->nss_token "nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d) --- source3/include/auth.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index df2bed8756..56b8144a24 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -67,7 +67,11 @@ typedef struct auth_serversupplied_info { void *pam_handle; - bool was_mapped; /* Did the username map match? */ + /* + * This is a token from /etc/passwd and /etc/group + */ + bool nss_token; + char *unix_name; /* -- cgit From 40f5eab5eb515937e1b23cf6762b77c194d29b9d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 19 Jun 2008 16:54:12 +0200 Subject: Wrap the unix token info in a unix_user_token in auth_serversupplied_info No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445) --- source3/include/auth.h | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/include/auth.h') diff --git a/source3/include/auth.h b/source3/include/auth.h index 56b8144a24..adcd6e943f 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -47,13 +47,8 @@ typedef struct auth_serversupplied_info { check_ntlm_password and the token creation. */ size_t num_sids; - uid_t uid; - gid_t gid; - - /* This groups info is needed for when we become_user() for this uid */ - size_t n_groups; - gid_t *groups; - + struct unix_user_token utok; + /* NT group information taken from the info3 structure */ NT_USER_TOKEN *ptok; -- cgit