summaryrefslogtreecommitdiffstats
path: root/source3/auth/token_util.c
Commit message (Collapse)AuthorAgeFilesLines
* lib/util: move memcache.[ch] to the toplevel 'samba-util' libraryStefan Metzmacher2014-07-181-1/+1
| | | | | | | | | | This is generic enough that it could be used in all code. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jul 18 15:43:33 CEST 2014 on sn-devel-104
* smbd: fix creation of BUILTIN\{Administrators,Users} when "tdbsam:map ↵Michael Adam2014-05-191-3/+13
| | | | | | | | | | | | | | | | builtin = false" In this case, passdb/group mapping is not responsible for the id mapping of the builtins, so the check whether the SID maps to a unix ID is not valid for checking whether the builtin has been created as a proper group. So this patch changes the check to whether we find the builtin in the group mapping database. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon May 19 16:41:41 CEST 2014 on sn-devel-104
* s3: smbd: Factor out code that calls getgroups_unix_user() into a separate ↵Jeremy Allison2014-03-251-52/+92
| | | | | | | | | | | | | | | | | | | | | | function. This code needs to special-case the guest user, as this token can have the token_sid[0] set to the Guest SID, not the mapping of UNIX uid -> SID. Other users that may have a well-known SID set in token_sid[0] (like SYSTEM) are usually not mappable to UNIX users and can be ignored when adding local groups from /etc/group. Found by <linux@kukkukk.com>. Second part of the bugfix for: https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT ↵Jeremy Allison2014-03-211-0/+61
| | | | | | | | | | | | | | | token. This has to be done in every code path that creates an NT token, as remote users may have been added to the local /etc/group database. Tokens created merely from the info3 structs (via the DC or via the krb5 PAC) won't have these local groups. https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* param: rename lp function and variable from 'guestaccount' to 'guest_account'Garming Sam2014-02-071-1/+1
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:auth small optimization in create_token_from_sidChristian Ambach2013-02-051-3/+5
| | | | | | | | | | | save some calls to lp_idmap_default_range(), calling it once is enough Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Feb 5 19:14:25 CET 2013 on sn-devel-104
* s3:auth: use new lp_idmap_default_range() instead of lp_idmap_gid() in ↵Michael Adam2013-02-051-2/+2
| | | | | | | create_token_from_sid() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:auth: Tidy up some of the API confusion in create_token_from_XXX() calls.Jeremy Allison2012-12-111-6/+9
| | | | | | | | | | | | | Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY on talloc fail from other possible errors. Allow the NTSTATUS return to be the only valid indication of success in these calls. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
* s3:auth: fix dereference level in talloc checks in create_token_from_sid()Michael Adam2012-12-111-2/+2
| | | | | | | | | | | Commit c5b150b33fc54ed97dbd0736cc6f4c15977d6e70 introduced these checks. The current check "found_username == NULL" is wrong (we would segfault earlier in this case). We need to check *found_username == NULL instead as noted by Günter. Reported-by: Günter Kukkukk <linux@kukkukk.com> Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:auth: fix function header comment for user_sid_in_group_sid()Michael Adam2012-12-111-1/+1
| | | | | | | | | | | This is embarrassing: the commit 0770a4c01bef26ec51321cd5b97aea4eab9e00a8 which intended to fix an earlier copy'n'paste error, contained another typo, fixed with this commit... Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
* s3:auth: fix create_token_from_sid() to not fail in the winbindd caseMichael Adam2012-12-101-2/+10
| | | | | | | | | | | | | | | | | | | Commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored the sid-based variant out of create_token_from_username() broke the case of a user handled by winbindd in that the "found_username" was set to NULL which caused the function to fail with NT_STATUS_NO_MEMORY further down. This patch fixes the function so that the case of found_username == NULL is cleanly separated from the NO_MEMORY case and the caller can provide the username in this case, if required. This fixes bug #9457. Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
* s3:auth: fix header comment for user_sid_in_group_sid()Michael Adam2012-12-101-2/+2
| | | | | | | | This function was created in 1c3c5e2156d9096f60bd53a96b88c2f1001d898a and the header comment contained copy'n'paste errors from the original function user_in_group_sid() that took the user name. Signed-off-by: Michael Adam <obnox@samba.org>
* s3:auth fix a compiler warningChristian Ambach2012-09-161-3/+2
|
* s3-smbd: Create a shortcut for building the token of a user by SID for ↵Andrew Bartlett2012-08-101-47/+142
| | | | | | | | | | | | | posix_acls When a user owns a file, but does not have specific permissions on that file, we need to make up the user permissions. This change ensures that the first thing that we do is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam() and directly create the token via the SID. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
* s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()Michael Adam2012-07-121-1/+1
| | | | | | | | | This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
* lib/util: Remove dummy wrapper for getpwuid().Jelmer Vernooij2012-03-241-2/+2
|
* lib/util: Remove dummy wrapper for getpwnam().Jelmer Vernooij2012-03-241-2/+2
|
* s3-auth: token_util needs system/passwd.h.Günther Deschner2011-10-141-0/+1
| | | | Guenther
* s3-auth Add const to indicate input elementsAndrew Bartlett2011-07-201-2/+2
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-talloc Change TALLOC_ZERO_P() to talloc_zero()Andrew Bartlett2011-06-091-1/+1
| | | | | Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_P isn't standard talloc.
* s3-talloc Change TALLOC_ARRAY() to talloc_array()Andrew Bartlett2011-06-091-4/+4
| | | | | Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
* s3-auth: run minimal_includes.plGünther Deschner2011-05-051-1/+0
| | | | Guenther
* s3: only include lib/privileges.h where needed.Günther Deschner2011-03-301-0/+1
| | | | | | This finally removes the global lsa.h inclusion. Guenther
* s3-auth: use auth.h where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-passdb: use passdb headers where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3: create_builtin_users/administrators belongs to passdb not auth.Günther Deschner2011-03-301-130/+0
| | | | Guenther
* s3-winbind: remove global inclusion of libwbclient.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* lib/util/util_pw: share sys_get{pw,gr} group of calls.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* Quite some callers of sid_split_rid do not care about the ridVolker Lendecke2011-03-101-3/+1
|
* s3:auth: change num_groups to from size_t to uint32_tStefan Metzmacher2011-02-221-4/+4
| | | | | | This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
* Make getpwnam_alloc() static to lib/username.c, and ensure all username ↵Jeremy Allison2010-10-201-3/+3
| | | | | | | | | | | | lookups go through Get_Pwnam_alloc(), which is the correct wrapper function. We were using it *some* of the time anyway, so this just makes us properly consistent. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Oct 20 16:02:12 UTC 2010 on sn-devel-104
* s3-auth Use security_token_debug() from common codeAndrew Bartlett2010-10-141-26/+0
| | | | | | | | | This prints the security token including the privileges as strings instead of just a bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth use security_token_has_sid() from the common codeAndrew Bartlett2010-10-141-9/+2
| | | | | | | | | The wrapper call is left here to avoid changing semantics for the NULL parameter case. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett2010-10-121-1/+1
| | | | | | | | | | | | | | This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
* s3: Remove talloc_autofree_context() from get_root_nt_token()Volker Lendecke2010-09-261-1/+1
| | | | The memcache_add_talloc() later on steals it anyway
* s3: Fix a typoVolker Lendecke2010-09-251-1/+1
|
* s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.Günther Deschner2010-09-201-2/+2
| | | | Guenther
* s3-privs Call security_token_set_privilege() rather than manual assignmentAndrew Bartlett2010-09-111-1/+1
| | | | | | | | This avoids as much direct modifiction of the bitmask as possible. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-privs Inline dump_se_priv into callers now that it's just a uint64_tAndrew Bartlett2010-09-111-1/+1
| | | | | | | | The previous 128 bit structure needed this helper function. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3:auth Remove NT_USER_TOKENAndrew Bartlett2010-09-111-6/+6
| | | | | | | | | The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Change struct nt_user_token -> struct security_tokenAndrew Bartlett2010-09-111-14/+14
| | | | | | | | This common structure is defined in security.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Change type of num_sids to uint32_tAndrew Bartlett2010-09-111-5/+7
| | | | | | | | | | | | | | size_t is overkill here, and in struct security_token in the num_sids is uint32_t. This includes a change to the prototype of add_sid_to_array() and add_sid_to_array_unique(), which has had a number of consequnetial changes as I try to sort out all the callers using a pointer to the number of sids. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Rename NT_USER_TOKEN privileges -> privilege_maskAndrew Bartlett2010-08-311-3/+3
| | | | | | This is closer to the struct security_token from security.idl Andrew Bartlett
* s3-auth Rename NT_USER_TOKEN user_sids -> sidsAndrew Bartlett2010-08-311-24/+24
| | | | This is closer to the struct security_token from security.idl
* s3-build: only include memcache.h where needed.Günther Deschner2010-08-261-0/+1
| | | | Guenther
* s3-netlogon: remove global include of netlogon.h.Günther Deschner2010-08-061-0/+2
| | | | | | | This reduces precompiled headers by another 4 MB and also slightly speeds up the build. Guenther
* s3-secrets: only include secrets.h when needed.Günther Deschner2010-08-051-0/+1
| | | | Guenther
* s3: [ug]id_to_unix_... can not failVolker Lendecke2010-07-111-5/+2
| | | | Remove some silly failure checks
* s3:auth create nt token from info3 directlySimo Sorce2010-06-071-26/+157
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3:dom_sid Global replace of DOM_SID with struct dom_sidAndrew Bartlett2010-05-211-24/+24
| | | | | | | | | | This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
generated by cgit (git 2.34.1) at 2025-06-14 11:29:11 +0000