From 1c798aba40fb0e389c7a54ad3d8f7d45876f2809 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 3 Feb 2004 11:10:56 +0000 Subject: - port AUTH and PASSDB subsystems to new SMB_SUBSYSTEM() scheme - some const fixes in ntvfs metze (This used to be commit af89a78123068767b1d134969c5651a0fd978b0d) --- source4/auth/auth.h | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 source4/auth/auth.h (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h new file mode 100644 index 0000000000..dc12d8196f --- /dev/null +++ b/source4/auth/auth.h @@ -0,0 +1,175 @@ +/* + Unix SMB/CIFS implementation. + Standardised Authentication types + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef _SAMBA_AUTH_H +#define _SAMBA_AUTH_H + +/* modules can use the following to determine if the interface has changed + * please increment the version number after each interface change + * with a comment and maybe update struct auth_critical_sizes. + */ +/* version 1 - version from samba 3.0 - metze */ +/* version 2 - initial samba4 version - metze */ +#define AUTH_INTERFACE_VERSION 2 + +/* AUTH_STR - string */ +typedef struct auth_str +{ + int len; + char *str; +} AUTH_STR; + +/* AUTH_UNISTR - unicode string or buffer */ +typedef struct auth_unistr +{ + int len; + uchar *unistr; +} AUTH_UNISTR; + +#define AUTH_FLAG_NONE 0x000000 +#define AUTH_FLAG_PLAINTEXT 0x000001 +#define AUTH_FLAG_LM_RESP 0x000002 +#define AUTH_FLAG_NTLM_RESP 0x000004 +#define AUTH_FLAG_NTLMv2_RESP 0x000008 + +typedef struct auth_usersupplied_info +{ + DATA_BLOB lm_resp; + DATA_BLOB nt_resp; + DATA_BLOB plaintext_password; + + BOOL encrypted; + + uint32 auth_flags; + + AUTH_STR client_domain; /* domain name string */ + AUTH_STR domain; /* domain name after mapping */ + AUTH_STR internal_username; /* username after mapping */ + AUTH_STR smb_name; /* username before mapping */ + AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ +} auth_usersupplied_info; + +#define SAM_FILL_NAME 0x01 +#define SAM_FILL_INFO3 0x02 +#define SAM_FILL_SAM 0x04 +#define SAM_FILL_UNIX 0x08 +#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) + +typedef struct auth_serversupplied_info +{ + BOOL guest; + + /* This groups info is needed for when we become_user() for this uid */ + int n_groups; + gid_t *groups; + + /* NT group information taken from the info3 structure */ + + NT_USER_TOKEN *ptok; + + uint8 session_key[16]; + uint8 first_8_lm_hash[8]; + DATA_BLOB nt_session_key; + DATA_BLOB lm_session_key; + + uint32 sam_fill_level; /* How far is this structure filled? */ + + SAM_ACCOUNT *sam_account; + + void *pam_handle; +} auth_serversupplied_info; + +struct auth_context { + DATA_BLOB challenge; + + /* Who set this up in the first place? */ + const char *challenge_set_by; + + BOOL challenge_may_be_modified; + + struct auth_methods *challenge_set_method; + /* What order are the various methods in? Try to stop it changing under us */ + struct auth_methods *auth_method_list; + + TALLOC_CTX *mem_ctx; + const uint8 *(*get_ntlm_challenge)(struct auth_context *auth_context); + NTSTATUS (*check_ntlm_password)(const struct auth_context *auth_context, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); + void (*free)(struct auth_context **auth_context); +}; + +typedef struct auth_methods +{ + struct auth_methods *prev, *next; + const char *name; /* What name got this module */ + + NTSTATUS (*auth)(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + + DATA_BLOB (*get_chal)(const struct auth_context *auth_context, + void **my_private_data, + TALLOC_CTX *mem_ctx); + + /* Used to keep tabs on things like the cli for SMB server authentication */ + void *private_data; + + /* Function to clean up the above arbitary structure */ + void (*free_private_data)(void **private_data); + + /* Function to send a keepalive message on the above structure */ + void (*send_keepalive)(void **private_data); +} auth_methods; + +typedef struct auth_ntlmssp_state +{ + TALLOC_CTX *mem_ctx; + struct auth_context *auth_context; + struct auth_serversupplied_info *server_info; + struct ntlmssp_state *ntlmssp_state; +} AUTH_NTLMSSP_STATE; + +#define auth_ops __XXX_ERROR_BLA +struct auth_operations { + /* the name of the backend */ + const char *name; + + /* Function to create a member of the authmethods list */ + NTSTATUS (*init)(struct auth_context *, const char *, struct auth_methods **); +}; + +/* this structure is used by backends to determine the size of some critical types */ +struct auth_critical_sizes { + int interface_version; + int sizeof_auth_operations; + int sizeof_auth_methods; + int sizeof_auth_context; + int sizeof_auth_ntlmssp_state; + int sizeof_auth_usersupplied_info; + int sizeof_auth_serversupplied_info; + int sizeof_auth_str; + int sizeof_auth_unistr; +}; + +#endif /* _SAMBA_AUTH_H */ -- cgit From 9f084101dd392ceb85f141f55ee56bed344626ef Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 2 May 2004 08:45:00 +0000 Subject: r443: Update Samba4 to the auth and NTLMSSP code from Samba3. Not all the auth code is merged - only those parts that are actually being used in Samba4. There is a lot more work to do in the NTLMSSP area, and I hope to develop that work here. There is a start on this here - splitting NTLMSSP into two parts that my operate in an async fashion (before and after the actual authentication) Andrew Bartlett (This used to be commit 5876c78806e6a6c44613a1354e8d564b427d0c9f) --- source4/auth/auth.h | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index dc12d8196f..22738ffc2c 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -27,7 +27,8 @@ */ /* version 1 - version from samba 3.0 - metze */ /* version 2 - initial samba4 version - metze */ -#define AUTH_INTERFACE_VERSION 2 +/* version 3 - subsequent samba4 version - abartlet */ +#define AUTH_INTERFACE_VERSION 3 /* AUTH_STR - string */ typedef struct auth_str @@ -36,34 +37,23 @@ typedef struct auth_str char *str; } AUTH_STR; -/* AUTH_UNISTR - unicode string or buffer */ -typedef struct auth_unistr -{ - int len; - uchar *unistr; -} AUTH_UNISTR; - -#define AUTH_FLAG_NONE 0x000000 -#define AUTH_FLAG_PLAINTEXT 0x000001 -#define AUTH_FLAG_LM_RESP 0x000002 -#define AUTH_FLAG_NTLM_RESP 0x000004 -#define AUTH_FLAG_NTLMv2_RESP 0x000008 - typedef struct auth_usersupplied_info { + DATA_BLOB lm_resp; DATA_BLOB nt_resp; + DATA_BLOB lm_interactive_pwd; + DATA_BLOB nt_interactive_pwd; DATA_BLOB plaintext_password; BOOL encrypted; - uint32 auth_flags; - AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ AUTH_STR internal_username; /* username after mapping */ AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + } auth_usersupplied_info; #define SAM_FILL_NAME 0x01 @@ -84,11 +74,9 @@ typedef struct auth_serversupplied_info NT_USER_TOKEN *ptok; - uint8 session_key[16]; - uint8 first_8_lm_hash[8]; - DATA_BLOB nt_session_key; + DATA_BLOB user_session_key; DATA_BLOB lm_session_key; - + uint32 sam_fill_level; /* How far is this structure filled? */ SAM_ACCOUNT *sam_account; @@ -126,7 +114,7 @@ typedef struct auth_methods void *my_private_data, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); + auth_serversupplied_info **server_info); DATA_BLOB (*get_chal)(const struct auth_context *auth_context, void **my_private_data, @@ -140,8 +128,20 @@ typedef struct auth_methods /* Function to send a keepalive message on the above structure */ void (*send_keepalive)(void **private_data); + } auth_methods; +typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); + +struct auth_init_function_entry { + const char *name; + /* Function to create a member of the authmethods list */ + + auth_init_function init; + + struct auth_init_function_entry *prev, *next; +}; + typedef struct auth_ntlmssp_state { TALLOC_CTX *mem_ctx; @@ -172,4 +172,4 @@ struct auth_critical_sizes { int sizeof_auth_unistr; }; -#endif /* _SAMBA_AUTH_H */ +#endif /* _SMBAUTH_H_ */ -- cgit From c041077856badf5fa3f52e47267a24e6f5a11e3d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 9 May 2004 13:42:02 +0000 Subject: r614: Clean out the POSIX assumptions from the Samba4 auth subsystem. This removes the code that tried to lookup posix groups, as well as the code that was tied to the SAM_ACCOUNT. This should make auth_ldb much easier to write :-) Andrew Bartlett (This used to be commit e096ee2112adecaa69b6b3eb155a4e8f80dfc0f7) --- source4/auth/auth.h | 9 --------- 1 file changed, 9 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 22738ffc2c..bf6e1b77e1 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -66,10 +66,6 @@ typedef struct auth_serversupplied_info { BOOL guest; - /* This groups info is needed for when we become_user() for this uid */ - int n_groups; - gid_t *groups; - /* NT group information taken from the info3 structure */ NT_USER_TOKEN *ptok; @@ -77,11 +73,6 @@ typedef struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; - uint32 sam_fill_level; /* How far is this structure filled? */ - - SAM_ACCOUNT *sam_account; - - void *pam_handle; } auth_serversupplied_info; struct auth_context { -- cgit From d12e825042d1f108051eb6e205340dee444d5591 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 May 2004 15:34:56 +0000 Subject: r685: The SAM is dead! Long live the new SAM! ;-) This commit kills passdb, which was only hosting the auth subsystem. With the work tridge has done on Samba4's SAM backend, this can (and now is) all hosted on ldb. The auth_sam.c file now references this backend. You will need to assign your users passwords in ldb - adding a new line: unicodePwd: myPass to a record, using ldbedit, should be sufficient. Naturally, this assumes you have had your personal SAMR provisioning tutorial from tridge. Everybody else can still use the anonymous logins. Andrew Bartlett (This used to be commit 2aa0b55fb86648731d5f2201fa5a6aa993b7ca48) --- source4/auth/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index bf6e1b77e1..db50e24959 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -64,6 +64,8 @@ typedef struct auth_usersupplied_info typedef struct auth_serversupplied_info { + TALLOC_CTX *mem_ctx; + BOOL guest; /* NT group information taken from the info3 structure */ -- cgit From fcd718c7d8a6850ae8719f23ed044b06b57501cd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 17:50:17 +0000 Subject: r890: convert samba4 to use [u]int8_t instead of [u]int8 metze (This used to be commit 2986c5f08c8f0c26a2ea7b6ce20aae025183109f) --- source4/auth/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index db50e24959..59e1629a0d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -90,7 +90,7 @@ struct auth_context { struct auth_methods *auth_method_list; TALLOC_CTX *mem_ctx; - const uint8 *(*get_ntlm_challenge)(struct auth_context *auth_context); + const uint8_t *(*get_ntlm_challenge)(struct auth_context *auth_context); NTSTATUS (*check_ntlm_password)(const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info); -- cgit From 8f84a98e299e63b7fb7fdd797e8e7969b68a106f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 4 Jun 2004 07:46:24 +0000 Subject: r1001: in samba4 we don't(shouldn't) use typedef's anymore... metze (This used to be commit ac5f6f7e511a730448012c8a709887827aea2281) --- source4/auth/auth.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 59e1629a0d..c6a025dba8 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -135,13 +135,13 @@ struct auth_init_function_entry { struct auth_init_function_entry *prev, *next; }; -typedef struct auth_ntlmssp_state +struct auth_ntlmssp_state { TALLOC_CTX *mem_ctx; struct auth_context *auth_context; struct auth_serversupplied_info *server_info; struct ntlmssp_state *ntlmssp_state; -} AUTH_NTLMSSP_STATE; +}; #define auth_ops __XXX_ERROR_BLA struct auth_operations { -- cgit From 0d466258be1fc7156de469daec07b79701557168 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jun 2004 01:39:08 +0000 Subject: r1019: Push the auth subsystem away from using typedef, and over to the 'all goodness and light' struct ;-) Break apart the auth subsystem's return strucutres, into the parts that a netlogon call cares about, and the parts that are for a local session. This is the 'struct session_info' and it will almost completly replace the current information stored on a vuid, but be generic to all login methods (RPC over TCP, for example). Andrew Bartlett (This used to be commit d199697014d9562f9439a30b950fda798c5ef419) --- source4/auth/auth.h | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c6a025dba8..c8347cad20 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -37,7 +37,7 @@ typedef struct auth_str char *str; } AUTH_STR; -typedef struct auth_usersupplied_info +struct auth_usersupplied_info { DATA_BLOB lm_resp; @@ -54,7 +54,7 @@ typedef struct auth_usersupplied_info AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ -} auth_usersupplied_info; +}; #define SAM_FILL_NAME 0x01 #define SAM_FILL_INFO3 0x02 @@ -62,20 +62,34 @@ typedef struct auth_usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct auth_serversupplied_info +struct auth_serversupplied_info { TALLOC_CTX *mem_ctx; BOOL guest; - /* NT group information taken from the info3 structure */ - - NT_USER_TOKEN *ptok; + struct dom_sid *user_sid; + struct dom_sid *primary_group_sid; + + size_t n_domain_groups; + struct dom_sid **domain_groups; DATA_BLOB user_session_key; DATA_BLOB lm_session_key; -} auth_serversupplied_info; +}; + +struct auth_session_info +{ + TALLOC_CTX *mem_ctx; + /* NT group information taken from the info3 structure */ + + NT_USER_TOKEN *nt_user_token; + + struct auth_serversupplied_info *server_info; + + DATA_BLOB session_key; +}; struct auth_context { DATA_BLOB challenge; @@ -98,7 +112,7 @@ struct auth_context { void (*free)(struct auth_context **auth_context); }; -typedef struct auth_methods +struct auth_methods { struct auth_methods *prev, *next; const char *name; /* What name got this module */ @@ -107,7 +121,7 @@ typedef struct auth_methods void *my_private_data, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info); + struct auth_serversupplied_info **server_info); DATA_BLOB (*get_chal)(const struct auth_context *auth_context, void **my_private_data, @@ -122,7 +136,7 @@ typedef struct auth_methods /* Function to send a keepalive message on the above structure */ void (*send_keepalive)(void **private_data); -} auth_methods; +}; typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); -- cgit From 306fcbd06340af692cc9b2c76334de672e4006a5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jun 2004 03:09:38 +0000 Subject: r1023: Prepare the auth subsystem interfaces for netlogon SamLogon to use. Andrew Bartlett (This used to be commit b5fa2baaa9e110aa93107b13744e1fc5a64adbb5) --- source4/auth/auth.h | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c8347cad20..8ef8ffcc18 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -42,8 +42,8 @@ struct auth_usersupplied_info DATA_BLOB lm_resp; DATA_BLOB nt_resp; - DATA_BLOB lm_interactive_pwd; - DATA_BLOB nt_interactive_pwd; + DATA_BLOB lm_interactive_password; + DATA_BLOB nt_interactive_password; DATA_BLOB plaintext_password; BOOL encrypted; @@ -56,12 +56,6 @@ struct auth_usersupplied_info }; -#define SAM_FILL_NAME 0x01 -#define SAM_FILL_INFO3 0x02 -#define SAM_FILL_SAM 0x04 -#define SAM_FILL_UNIX 0x08 -#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) - struct auth_serversupplied_info { TALLOC_CTX *mem_ctx; @@ -76,7 +70,25 @@ struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; + + char *account_name; + char *full_name; + char *logon_script; + char *profile_path; + char *home_dir; + char *home_drive; + + NTTIME logon_time; + NTTIME logoff_time; + NTTIME kickoff_time; + NTTIME password_last_set; + NTTIME password_can_change; + NTTIME password_must_change; + + uint16 logon_count; + uint16 bad_password_count; + uint32 acct_flags; }; struct auth_session_info -- cgit From bcac502d4470094108348bd3945e569f81a26b19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 7 Jun 2004 03:46:32 +0000 Subject: r1058: The start of work on the SamLogon call for NETLOGON. This starts to store information about the user in the server_info struct - like the account name, the full name etc. Also, continue to make the names of the structure elements in the logon reply more consistant with those in the SAMR pipe. Andrew Bartlett (This used to be commit 3ccd96bd945e0fd95e42c69ad8ff07055af2e62b) --- source4/auth/auth.h | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 8ef8ffcc18..dea068f078 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -71,20 +71,22 @@ struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; - char *account_name; - char *full_name; - char *logon_script; - char *profile_path; - char *home_dir; - char *home_drive; + const char *account_name; + const char *domain; + + const char *full_name; + const char *logon_script; + const char *profile_path; + const char *home_directory; + const char *home_drive; + + NTTIME last_logon; + NTTIME last_logoff; + NTTIME acct_expiry; + NTTIME last_password_change; + NTTIME allow_password_change; + NTTIME force_password_change; - NTTIME logon_time; - NTTIME logoff_time; - NTTIME kickoff_time; - NTTIME password_last_set; - NTTIME password_can_change; - NTTIME password_must_change; - uint16 logon_count; uint16 bad_password_count; @@ -121,7 +123,6 @@ struct auth_context { const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info); NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); - void (*free)(struct auth_context **auth_context); }; struct auth_methods -- cgit From 6564fd402d500b1e24f76f63e4335b38ef1164db Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 7 Jun 2004 12:17:29 +0000 Subject: r1067: fix compiler warnings metze (This used to be commit e5d338821e590c49947a18a5d5c361122571988d) --- source4/auth/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index dea068f078..386c2f8cd0 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -119,7 +119,7 @@ struct auth_context { TALLOC_CTX *mem_ctx; const uint8_t *(*get_ntlm_challenge)(struct auth_context *auth_context); - NTSTATUS (*check_ntlm_password)(const struct auth_context *auth_context, + NTSTATUS (*check_ntlm_password)(struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info); NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); -- cgit From bccac81d8792f85ae37d4a6617a92e2fae75aa50 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Jun 2004 08:12:50 +0000 Subject: r1136: - added IDL for netr_LogonGetDomainInfo() - added workstation to auth_session_info in rpc servers - added session key fetch hook in crypto backends in dcesrv - store and fetch seed as well as a session key in schannel ldb - when a client uses schannel to setup a netlogon pipe connection we also need to setup the credentials from the schannel negotiation so credentials chaining works - added server side netr_LogonGetDomainInfo() call (This used to be commit a35459387de3b6a422c5af6f658338fc7e4314b0) --- source4/auth/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 386c2f8cd0..c20b8dbf6f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -103,6 +103,9 @@ struct auth_session_info struct auth_serversupplied_info *server_info; DATA_BLOB session_key; + + /* needed to key the schannel credentials */ + const char *workstation; }; struct auth_context { -- cgit From dc9f55dbec5f892b39d924d5fd033b5eec1e14e4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 29 Jun 2004 09:40:10 +0000 Subject: r1294: A nice, large, commit... This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec) --- source4/auth/auth.h | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c20b8dbf6f..0c8f71d859 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -96,6 +96,8 @@ struct auth_serversupplied_info struct auth_session_info { TALLOC_CTX *mem_ctx; + + int refcount; /* NT group information taken from the info3 structure */ NT_USER_TOKEN *nt_user_token; @@ -117,7 +119,8 @@ struct auth_context { BOOL challenge_may_be_modified; struct auth_methods *challenge_set_method; - /* What order are the various methods in? Try to stop it changing under us */ + + /* methods, in the order they should be called */ struct auth_methods *auth_method_list; TALLOC_CTX *mem_ctx; @@ -165,15 +168,6 @@ struct auth_init_function_entry { struct auth_init_function_entry *prev, *next; }; -struct auth_ntlmssp_state -{ - TALLOC_CTX *mem_ctx; - struct auth_context *auth_context; - struct auth_serversupplied_info *server_info; - struct ntlmssp_state *ntlmssp_state; -}; - -#define auth_ops __XXX_ERROR_BLA struct auth_operations { /* the name of the backend */ const char *name; @@ -188,11 +182,9 @@ struct auth_critical_sizes { int sizeof_auth_operations; int sizeof_auth_methods; int sizeof_auth_context; - int sizeof_auth_ntlmssp_state; int sizeof_auth_usersupplied_info; int sizeof_auth_serversupplied_info; int sizeof_auth_str; - int sizeof_auth_unistr; }; #endif /* _SMBAUTH_H_ */ -- cgit From 92ca39eff66181c2fa71b12f6a73824a8b44d71b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 5 Jul 2004 07:15:12 +0000 Subject: r1334: remove unused stuff metze (This used to be commit 7a8786269b4f9e4962b51dd734171adf04021c15) --- source4/auth/auth.h | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 0c8f71d859..74df97a2ed 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -157,17 +157,6 @@ struct auth_methods }; -typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); - -struct auth_init_function_entry { - const char *name; - /* Function to create a member of the authmethods list */ - - auth_init_function init; - - struct auth_init_function_entry *prev, *next; -}; - struct auth_operations { /* the name of the backend */ const char *name; -- cgit From 6bea5bea4ccd4eb45b9cd4dd1e16538b14e2180e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 01:43:05 +0000 Subject: r2643: convert more of the auth subsyystem to the new talloc methods. This also fixes a memory leak found with --leak-check. (This used to be commit f19201ea274f0a542314c61c4af676197bf154ad) --- source4/auth/auth.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 74df97a2ed..6f2c7134e7 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -58,8 +58,6 @@ struct auth_usersupplied_info struct auth_serversupplied_info { - TALLOC_CTX *mem_ctx; - BOOL guest; struct dom_sid *user_sid; @@ -95,8 +93,6 @@ struct auth_serversupplied_info struct auth_session_info { - TALLOC_CTX *mem_ctx; - int refcount; /* NT group information taken from the info3 structure */ -- cgit From 9a62dce0ac2dd751c9cc3b9906eec8c4fe7c51b7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 03:50:24 +0000 Subject: r2648: - use a destructor on struct server_connection to simplify the connection termination cleanup, and to ensure that the event contexts are properly removed for every process model - gave auth_context the new talloc treatment, which removes another source of memory leaks. (This used to be commit 230e1cd777b0fba82dffcbd656cfa23c155d0560) --- source4/auth/auth.h | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 6f2c7134e7..2f35b36a15 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -119,7 +119,6 @@ struct auth_context { /* methods, in the order they should be called */ struct auth_methods *auth_method_list; - TALLOC_CTX *mem_ctx; const uint8_t *(*get_ntlm_challenge)(struct auth_context *auth_context); NTSTATUS (*check_ntlm_password)(struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, -- cgit From 85796280f4e9a4f8ac6a1c327c13c7dbef9ce424 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 29 Oct 2004 09:15:41 +0000 Subject: r3361: Allow Samba4 (I'm interested in ntlm_auth in particular) to use Samba3's winbind. This is also the start of domain membership code in Samba4, as we now (partially) parse the info3, and use it like Samba3 does. Andrew Bartlett (This used to be commit c1b7303c1c7d9fb815006c3bd2af20a0010d15a8) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 2f35b36a15..98b0994283 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -122,6 +122,7 @@ struct auth_context { const uint8_t *(*get_ntlm_challenge)(struct auth_context *auth_context); NTSTATUS (*check_ntlm_password)(struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, + TALLOC_CTX *out_mem_ctx, struct auth_serversupplied_info **server_info); NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); }; -- cgit From edbfc0f6e70150e321822365bf0eead2821551bd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 02:57:18 +0000 Subject: r3453: - split out the auth and popt includes - tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64) --- source4/auth/auth.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 98b0994283..dc57d349b4 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -21,6 +21,11 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H +#include "libcli/auth/ntlmssp.h" +#include "libcli/auth/credentials.h" +#include "libcli/auth/gensec.h" +#include "libcli/auth/spnego.h" + /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change * with a comment and maybe update struct auth_critical_sizes. -- cgit From e1f38d81383c4adcb28b8e6e4bc0b3c7600277d4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 6 Nov 2004 03:44:16 +0000 Subject: r3571: rough guesses at what abartlet really wanted to do in his last commit (which I suspect was missing some pieces) this at least fixes the build so i can keep going on pvfs. Please review/fix Andrew. (This used to be commit bffd18d09df04c1e492ef12f744ff4b6c561d53c) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index dc57d349b4..741cd55542 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -76,6 +76,7 @@ struct auth_serversupplied_info const char *account_name; const char *domain; + const char *realm; const char *full_name; const char *logon_script; -- cgit From 6ca874f71ad77c82d6e161a3e4772100de2ad6c5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 11 Dec 2004 05:41:19 +0000 Subject: r4147: converted from NT_USER_TOKEN to struct security_token this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a) --- source4/auth/auth.h | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 741cd55542..3f1d11cb45 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -97,15 +97,10 @@ struct auth_serversupplied_info uint32 acct_flags; }; -struct auth_session_info -{ +struct auth_session_info { int refcount; - /* NT group information taken from the info3 structure */ - - NT_USER_TOKEN *nt_user_token; - + struct security_token *security_token; struct auth_serversupplied_info *server_info; - DATA_BLOB session_key; /* needed to key the schannel credentials */ -- cgit From 46a32687da249174a666d9166fccbe705c8beba0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 9 Jan 2005 12:55:25 +0000 Subject: r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847) --- source4/auth/auth.h | 121 ++++++++++++++++++++-------------------------------- 1 file changed, 46 insertions(+), 75 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 3f1d11cb45..e78b21339f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. Standardised Authentication types - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001 + Copyright (C) Stefan Metzmacher 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -33,50 +34,43 @@ /* version 1 - version from samba 3.0 - metze */ /* version 2 - initial samba4 version - metze */ /* version 3 - subsequent samba4 version - abartlet */ -#define AUTH_INTERFACE_VERSION 3 - -/* AUTH_STR - string */ -typedef struct auth_str -{ - int len; - char *str; -} AUTH_STR; +/* version 4 - subsequent samba4 version - metze */ +#define AUTH_INTERFACE_VERSION 4 struct auth_usersupplied_info { - + const char *account_name; + const char *domain_name; + const char *workstation_name; + + /* the values the client gives us */ + struct { + const char *account_name; + const char *domain_name; + } client; + + BOOL encrypted; + DATA_BLOB lm_resp; DATA_BLOB nt_resp; - DATA_BLOB lm_interactive_password; + DATA_BLOB lm_interactive_password; DATA_BLOB nt_interactive_password; DATA_BLOB plaintext_password; - - BOOL encrypted; - - AUTH_STR client_domain; /* domain name string */ - AUTH_STR domain; /* domain name after mapping */ - AUTH_STR internal_username; /* username after mapping */ - AUTH_STR smb_name; /* username before mapping */ - AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ - }; struct auth_serversupplied_info { - BOOL guest; - - struct dom_sid *user_sid; + struct dom_sid *account_sid; struct dom_sid *primary_group_sid; size_t n_domain_groups; struct dom_sid **domain_groups; - + DATA_BLOB user_session_key; DATA_BLOB lm_session_key; const char *account_name; - const char *domain; - const char *realm; + const char *domain_name; const char *full_name; const char *logon_script; @@ -90,76 +84,53 @@ struct auth_serversupplied_info NTTIME last_password_change; NTTIME allow_password_change; NTTIME force_password_change; - + uint16 logon_count; uint16 bad_password_count; - + uint32 acct_flags; + + BOOL authenticated; }; struct auth_session_info { - int refcount; struct security_token *security_token; struct auth_serversupplied_info *server_info; DATA_BLOB session_key; - - /* needed to key the schannel credentials */ - const char *workstation; }; -struct auth_context { - DATA_BLOB challenge; - - /* Who set this up in the first place? */ - const char *challenge_set_by; +struct auth_method_context; - BOOL challenge_may_be_modified; +struct auth_operations { + const char *name; - struct auth_methods *challenge_set_method; + NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); - /* methods, in the order they should be called */ - struct auth_methods *auth_method_list; - - const uint8_t *(*get_ntlm_challenge)(struct auth_context *auth_context); - NTSTATUS (*check_ntlm_password)(struct auth_context *auth_context, - const struct auth_usersupplied_info *user_info, - TALLOC_CTX *out_mem_ctx, - struct auth_serversupplied_info **server_info); - NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); + NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); }; -struct auth_methods -{ - struct auth_methods *prev, *next; - const char *name; /* What name got this module */ - - NTSTATUS (*auth)(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); - - DATA_BLOB (*get_chal)(const struct auth_context *auth_context, - void **my_private_data, - TALLOC_CTX *mem_ctx); - - /* Used to keep tabs on things like the cli for SMB server authentication */ +struct auth_method_context { + struct auth_method_context *prev, *next; + struct auth_context *auth_ctx; + const struct auth_operations *ops; + int depth; void *private_data; - - /* Function to clean up the above arbitary structure */ - void (*free_private_data)(void **private_data); +}; - /* Function to send a keepalive message on the above structure */ - void (*send_keepalive)(void **private_data); +struct auth_context { + struct { + /* Who set this up in the first place? */ + const char *set_by; -}; + BOOL may_be_modified; -struct auth_operations { - /* the name of the backend */ - const char *name; + DATA_BLOB data; + } challenge; - /* Function to create a member of the authmethods list */ - NTSTATUS (*init)(struct auth_context *, const char *, struct auth_methods **); + /* methods, in the order they should be called */ + struct auth_method_context *methods; }; /* this structure is used by backends to determine the size of some critical types */ -- cgit From d8d3a5ffe3fb73d64869c133fe398efeb4e79d77 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jan 2005 16:06:21 +0000 Subject: r5137: fix types metze (This used to be commit add1c579375d08040f722946da31ee3862f9e7ac) --- source4/auth/auth.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index e78b21339f..425410e088 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -85,10 +85,10 @@ struct auth_serversupplied_info NTTIME allow_password_change; NTTIME force_password_change; - uint16 logon_count; - uint16 bad_password_count; + uint16_t logon_count; + uint16_t bad_password_count; - uint32 acct_flags; + uint32_t acct_flags; BOOL authenticated; }; -- cgit From 7cabdeb7ec84c7c0b3e9b907e19f4e240b7fc4ca Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 29 Mar 2005 08:24:03 +0000 Subject: r6113: Move GENSEC and the kerberos code out of libcli/auth, and into auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f) --- source4/auth/auth.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 425410e088..a9f6b8eac5 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -22,10 +22,10 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H -#include "libcli/auth/ntlmssp.h" +#include "auth/gensec/ntlmssp.h" #include "libcli/auth/credentials.h" -#include "libcli/auth/gensec.h" -#include "libcli/auth/spnego.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/spnego.h" /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change -- cgit From 3045ecfa1df7506a826e53728231ca00451ccef4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 05:03:50 +0000 Subject: r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796) --- source4/auth/auth.h | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index a9f6b8eac5..f64017832d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -22,7 +22,6 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H -#include "auth/gensec/ntlmssp.h" #include "libcli/auth/credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/spnego.h" -- cgit From 4aaffcf8664e638f20c0071a05e7877cc3491c7b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 27 Apr 2005 00:48:39 +0000 Subject: r6498: Add comments in line with those I already added to 3.0. Please don't re-invent security=server :-) Andrew Bartlett (This used to be commit b3a38e9c8ce9758db31aec53db29290a240868be) --- source4/auth/auth.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index f64017832d..1ac0b82e17 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -103,8 +103,15 @@ struct auth_method_context; struct auth_operations { const char *name; + /* If you are using this interface, then you are probably + * getting something wrong. This interface is only for + * security=server, and makes a number of compromises to allow + * that. It is not compatible with being a PDC. */ + NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); + /* Given the user supplied info, check a password */ + NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info); -- cgit From 0b4a3021e1db39dedb1eb16026ed2bff6aa2c4dd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 3 Jun 2005 12:13:33 +0000 Subject: r7224: add some more usefull data to the auth_usersupplied_info struct (This used to be commit e40c44e9cdc0be7c52207f8479568804e7d9cff2) --- source4/auth/auth.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 1ac0b82e17..d1f8caa2a0 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -36,11 +36,16 @@ /* version 4 - subsequent samba4 version - metze */ #define AUTH_INTERFACE_VERSION 4 +#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ +#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ +#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ + struct auth_usersupplied_info { const char *account_name; const char *domain_name; const char *workstation_name; + const char *remote_host; /* the values the client gives us */ struct { @@ -55,6 +60,8 @@ struct auth_usersupplied_info DATA_BLOB lm_interactive_password; DATA_BLOB nt_interactive_password; DATA_BLOB plaintext_password; + + uint32_t flags; }; struct auth_serversupplied_info -- cgit From af237084ecd4f9928c6c282b9c5c73598d5c73d6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 11:36:09 +0000 Subject: r7633: this patch started as an attempt to make the dcerpc code use a given event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9) --- source4/auth/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index d1f8caa2a0..b4f08b2859 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -144,6 +144,9 @@ struct auth_context { /* methods, in the order they should be called */ struct auth_method_context *methods; + + /* the event context to use for calls that can block */ + struct event_context *event_ctx; }; /* this structure is used by backends to determine the size of some critical types */ -- cgit From b16362fab65d0700bd6a8cf6569a9e21c7e6b069 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Jul 2005 04:10:07 +0000 Subject: r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88) --- source4/auth/auth.h | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index b4f08b2859..0b12328b3c 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -40,27 +40,38 @@ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ +enum auth_password_state { + AUTH_PASSWORD_RESPONSE, + AUTH_PASSWORD_HASH, + AUTH_PASSWORD_PLAIN +}; + struct auth_usersupplied_info { - const char *account_name; - const char *domain_name; const char *workstation_name; const char *remote_host; + BOOL mapped_state; /* the values the client gives us */ struct { const char *account_name; const char *domain_name; - } client; - - BOOL encrypted; - - DATA_BLOB lm_resp; - DATA_BLOB nt_resp; - DATA_BLOB lm_interactive_password; - DATA_BLOB nt_interactive_password; - DATA_BLOB plaintext_password; - + } client, mapped; + + enum auth_password_state password_state; + + union { + struct { + DATA_BLOB lanman; + DATA_BLOB nt; + } response; + struct { + struct samr_Password *lanman; + struct samr_Password *nt; + } hash; + + char *plaintext; + } password; uint32_t flags; }; @@ -157,7 +168,12 @@ struct auth_critical_sizes { int sizeof_auth_context; int sizeof_auth_usersupplied_info; int sizeof_auth_serversupplied_info; - int sizeof_auth_str; }; + NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, + enum auth_password_state to_state, + const struct auth_usersupplied_info *user_info_in, + const struct auth_usersupplied_info **user_info_encrypted); + + #endif /* _SMBAUTH_H_ */ -- cgit From a0647a89a82e892292c421f5c968de2f28d42366 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Oct 2005 07:11:40 +0000 Subject: r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensure we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 0b12328b3c..392703729f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -94,6 +94,7 @@ struct auth_serversupplied_info const char *profile_path; const char *home_directory; const char *home_drive; + const char *logon_server; NTTIME last_logon; NTTIME last_logoff; -- cgit From 152988a828ee958b9452474885460e9e46f65e79 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 08:54:37 +0000 Subject: r11366: Pass around the flags which indicate if we should support plaintext logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e) --- source4/auth/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 392703729f..55168a5beb 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -51,6 +51,8 @@ struct auth_usersupplied_info const char *workstation_name; const char *remote_host; + uint32_t logon_parameters; + BOOL mapped_state; /* the values the client gives us */ struct { -- cgit From 546f63df5b214a1419069887ecfd9118aae8030a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 11:20:48 +0000 Subject: r11370: Samba4 now passes it's own RPC-SAMLOGON test again. This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 55168a5beb..9f2e0b6a07 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -39,6 +39,7 @@ #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ +#define USER_INFO_INTERACTIVE_LOGON 0x08 /* dont check unix account status */ enum auth_password_state { AUTH_PASSWORD_RESPONSE, -- cgit From 3b2a6997b43dcfe37adf67c84e564a4fbff5b108 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Nov 2005 00:31:22 +0000 Subject: r11452: Update Heimdal to current lorikeet, including removing the ccache side of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 9f2e0b6a07..58f72aa8af 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -118,6 +118,7 @@ struct auth_session_info { struct security_token *security_token; struct auth_serversupplied_info *server_info; DATA_BLOB session_key; + struct cli_credentials *credentials; }; struct auth_method_context; -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 58f72aa8af..9aa6d29c6e 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -180,5 +180,6 @@ struct auth_critical_sizes { const struct auth_usersupplied_info *user_info_in, const struct auth_usersupplied_info **user_info_encrypted); +#include "auth/auth_proto.h" #endif /* _SMBAUTH_H_ */ -- cgit From f55ea8bb3dca868e21663cd90eaea7a35cd7886c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 9 Jan 2006 22:12:53 +0000 Subject: r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2) --- source4/auth/auth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 9aa6d29c6e..80360a7cb4 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -50,7 +50,7 @@ enum auth_password_state { struct auth_usersupplied_info { const char *workstation_name; - const char *remote_host; + struct socket_address *remote_host; uint32_t logon_parameters; -- cgit From 620d759f49f4b648d0fa4a84e67f1cecbbdd0f06 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 27 Apr 2006 19:50:13 +0000 Subject: r15298: Fix the build using a few hacks in the build system. Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 80360a7cb4..724ccf91ca 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -25,6 +25,7 @@ #include "libcli/auth/credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/spnego.h" +#include "lib/ldb/include/ldb.h" /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change -- cgit From e8623667d32f717b0b746e5041500bd0ee6b3ae8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Jul 2006 11:24:18 +0000 Subject: r17270: split the logic of saying this auth backend wants to handle this request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f) --- source4/auth/auth.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 724ccf91ca..20a91efc10 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -35,7 +35,8 @@ /* version 2 - initial samba4 version - metze */ /* version 3 - subsequent samba4 version - abartlet */ /* version 4 - subsequent samba4 version - metze */ -#define AUTH_INTERFACE_VERSION 4 +/* version 0 - till samba4 is stable - metze */ +#define AUTH_INTERFACE_VERSION 0 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ @@ -134,6 +135,11 @@ struct auth_operations { NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); + /* Given the user supplied info, check if this backend want to handle the password checking */ + + NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info); + /* Given the user supplied info, check a password */ NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, -- cgit From 96f60a37f6d6f1ad4baf3e441e14091046516d48 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Jul 2006 13:02:27 +0000 Subject: r17273: add an async version of auth_check_password() on the public auth interface and implement the sync version as wrapper to auth_check_password_send/recv() as next all callers need to be converted to the async interface and then the modules metze (This used to be commit ed40bb3c16279f9727be67e889270da5efb8ddb9) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 20a91efc10..7ebab9c8e1 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -124,6 +124,7 @@ struct auth_session_info { }; struct auth_method_context; +struct auth_check_password_request; struct auth_operations { const char *name; -- cgit From 7a845bcb0141a895d5685afcef1ffe7f93428d0f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jul 2006 14:05:08 +0000 Subject: r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710) --- source4/auth/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 7ebab9c8e1..badfe14762 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -171,6 +171,9 @@ struct auth_context { /* the event context to use for calls that can block */ struct event_context *event_ctx; + + /* the messaging context which can be used by backends */ + struct messaging_context *msg_ctx; }; /* this structure is used by backends to determine the size of some critical types */ -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/auth/auth.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index badfe14762..4c172af1fe 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -22,10 +22,7 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H -#include "libcli/auth/credentials.h" -#include "auth/gensec/gensec.h" -#include "auth/gensec/spnego.h" -#include "lib/ldb/include/ldb.h" +union netr_Validation; /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change -- cgit From 9f30272b2712227ca2ebaf04d13cd0728f3a7f64 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 7 Nov 2006 12:42:51 +0000 Subject: r19614: fix compiler warnings metze (This used to be commit 1ca8651a59e95eeca2942e5e66c2141e3f65dd9f) --- source4/auth/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 4c172af1fe..eb8bbac1ee 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -23,6 +23,8 @@ #define _SAMBA_AUTH_H union netr_Validation; +struct netr_SamBaseInfo; +struct netr_SamInfo3; /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/auth.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index eb8bbac1ee..8dce7bbd5b 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #ifndef _SAMBA_AUTH_H -- cgit From 06a6194eadef9fa9c9f6b3c200c41d2a59dc76af Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 27 Jul 2007 06:31:12 +0000 Subject: r24061: Anther part of bug #4823, which is that until now Samba4 didn't parse the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505) --- source4/auth/auth.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 8dce7bbd5b..c694141373 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -21,6 +21,8 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H +extern const char *user_attrs[]; + union netr_Validation; struct netr_SamBaseInfo; struct netr_SamInfo3; -- cgit From 61ffa08f4c95e29d301de9fbabd6e71c2dbc1056 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 27 Aug 2007 18:10:19 +0000 Subject: r24712: No longer expose the 'BOOL' data type in any interfaces. (This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae) --- source4/auth/auth.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c694141373..be8221d79e 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -56,7 +56,7 @@ struct auth_usersupplied_info uint32_t logon_parameters; - BOOL mapped_state; + bool mapped_state; /* the values the client gives us */ struct { const char *account_name; @@ -113,7 +113,7 @@ struct auth_serversupplied_info uint32_t acct_flags; - BOOL authenticated; + bool authenticated; }; struct auth_session_info { @@ -161,7 +161,7 @@ struct auth_context { /* Who set this up in the first place? */ const char *set_by; - BOOL may_be_modified; + bool may_be_modified; DATA_BLOB data; } challenge; -- cgit From 4340fc2d9e9f84368818e774b0817b100eb57232 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 26 Nov 2007 02:25:20 +0100 Subject: r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d) --- source4/auth/auth.h | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index be8221d79e..4e9f7b939f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -116,13 +116,6 @@ struct auth_serversupplied_info bool authenticated; }; -struct auth_session_info { - struct security_token *security_token; - struct auth_serversupplied_info *server_info; - DATA_BLOB session_key; - struct cli_credentials *credentials; -}; - struct auth_method_context; struct auth_check_password_request; @@ -191,6 +184,8 @@ struct auth_critical_sizes { const struct auth_usersupplied_info *user_info_in, const struct auth_usersupplied_info **user_info_encrypted); +#include "auth/session.h" +#include "auth/system_session_proto.h" #include "auth/auth_proto.h" #endif /* _SMBAUTH_H_ */ -- cgit From 181aab56d528c3a270ff9f349c8e91ecb402142b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 16:20:18 +0100 Subject: r26221: Add loadparm_context parameter to auth_context_create. (This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972) --- source4/auth/auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 4e9f7b939f..95819fbaf3 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -26,6 +26,7 @@ extern const char *user_attrs[]; union netr_Validation; struct netr_SamBaseInfo; struct netr_SamInfo3; +struct loadparm_context; /* modules can use the following to determine if the interface has changed * please increment the version number after each interface change -- cgit From 51db4c3f3d81d1ed03beae6426786c843ac59807 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:56:09 +0100 Subject: r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166) --- source4/auth/auth.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 95819fbaf3..ff7132c3ff 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -168,6 +168,9 @@ struct auth_context { /* the messaging context which can be used by backends */ struct messaging_context *msg_ctx; + + /* loadparm context */ + struct loadparm_context *lp_ctx; }; /* this structure is used by backends to determine the size of some critical types */ -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/auth/auth.h | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index ff7132c3ff..da8aac48ef 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -190,6 +190,63 @@ struct auth_critical_sizes { #include "auth/session.h" #include "auth/system_session_proto.h" -#include "auth/auth_proto.h" + +struct ldb_message; +struct ldb_context; +NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal); +NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, + struct ldb_context *sam_ctx, + uint32_t logon_parameters, + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + const char *logon_workstation, + const char *name_for_logs); +struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); +NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, + const char *netbios_name, + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, + struct auth_serversupplied_info **_server_info); +NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, + struct loadparm_context *lp_ctx, + struct auth_session_info **_session_info) ; +NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); + +NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, + struct event_context *ev, + struct messaging_context *msg, + struct loadparm_context *lp_ctx, + struct auth_context **auth_ctx); + +NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct messaging_context *msg, + struct loadparm_context *lp_ctx, + struct auth_context **auth_ctx); + +NTSTATUS auth_check_password(struct auth_context *auth_ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); +NTSTATUS auth_init(void); +NTSTATUS auth_register(const struct auth_operations *ops); +NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct messaging_context *msg, + struct loadparm_context *lp_ctx, + const char *nt4_domain, + const char *nt4_username, + const char *password, + struct auth_session_info **session_info); +NTSTATUS auth_check_password_recv(struct auth_check_password_request *req, + TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info); + +void auth_check_password_send(struct auth_context *auth_ctx, + const struct auth_usersupplied_info *user_info, + void (*callback)(struct auth_check_password_request *req, void *private_data), + void *private_data); +NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); #endif /* _SMBAUTH_H_ */ -- cgit From c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 28 Aug 2008 16:28:47 +1000 Subject: Heimdal provides Kerberos PAC parsing routines. Use them. This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e) --- source4/auth/auth.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/auth.h') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index da8aac48ef..af9ed52f78 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -21,6 +21,8 @@ #ifndef _SAMBA_AUTH_H #define _SAMBA_AUTH_H +#include "librpc/gen_ndr/ndr_krb5pac.h" + extern const char *user_attrs[]; union netr_Validation; @@ -115,6 +117,8 @@ struct auth_serversupplied_info uint32_t acct_flags; bool authenticated; + + struct PAC_SIGNATURE_DATA pac_srv_sig, pac_kdc_sig; }; struct auth_method_context; -- cgit