summaryrefslogtreecommitdiffstats
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3:passdb: rename sids_to_unix_ids() --> sids_to_unixids() for consistencyMichael Adam2012-05-021-1/+1
|
* s3-passdb: Use struct unixid in sids_to_unix_idsAndrew Bartlett2012-05-021-6/+7
| | | | | | | | | This avoids the union in the struct wbcUnixId and moves us to using only struct unixid internally. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
* s3-auth_samba4: use new_server_id_task() to allocate server id valuesAndrew Bartlett2012-04-301-6/+27
| | | | | | | | | This is rather than just picking a random number out of the air. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Apr 30 11:29:34 CEST 2012 on sn-devel-104
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-121-1/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSPAndrew Bartlett2012-04-031-2/+3
| | | | | | | | | Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* More strlcat/strlcpy truncate checks.Jeremy Allison2012-03-301-10/+45
|
* lib/util: Remove obsolete sys_getpid() and sys_fork().Jelmer Vernooij2012-03-241-2/+2
| | | | | | | | | The performance of these is minimal (these days) and they can return invalid results when used as part of applications that do not use sys_fork(). Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
* lib/util: Remove dummy wrapper for getpwuid().Jelmer Vernooij2012-03-241-2/+2
|
* lib/util: Remove dummy wrapper for getpwnam().Jelmer Vernooij2012-03-241-2/+2
|
* s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett2012-03-151-1/+1
| | | | | | | We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
* s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy2012-03-132-0/+29
| | | | | | | | | | | | | | | | On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
* s3-auth: Remove single-implementation plugin layerAndrew Bartlett2012-03-083-11/+48
| | | | | | | | The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context were only ever initialised to a single value. Make it easier to follow by just calling the function directly. Andrew Bartlett
* s3-auth: Follow auth_ntlmssp and use auth4_context for Session SetupAndrew Bartlett2012-03-081-10/+10
| | | | | | | | | | This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
* s3-auth Add make_session_info_from_pw to avoid multiple getpwnam() callsAndrew Bartlett2012-03-041-12/+34
|
* s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett2012-03-044-193/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
* s3-auth: Provide helper routine to check password and return session_infoAndrew Bartlett2012-02-242-0/+31
|
* auth: Rename some elements of auth4_contextAndrew Bartlett2012-02-241-3/+3
| | | | | | These operate on NTLM authentication, so make that clear. Andrew Bartlett
* s3-auth: Add a way to get an auth4_context from the auth stackAndrew Bartlett2012-02-244-11/+108
| | | | | | | | This will allow us to use the same layer that auth_ntlmssp does in the non-SPNEGO session setup, which will in turn make the authentication code more consistent in the AD server case. Andrew Bartlett
* auth: Reorder arguments to generate_session_infoAndrew Bartlett2012-02-182-4/+4
| | | | | | | | | This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
* s3-auth: Use common gensec_ntlmsspAndrew Bartlett2012-02-172-38/+3
| | | | | | | | There is no longer any samba3-specific code left here. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Use common gensec_ntlmssp_server_startAndrew Bartlett2012-02-171-127/+1
| | | | | | | | This is now identical code, so there is no need to duplicate it. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Use the gensec-supplied DNS domain name and hostname.Andrew Bartlett2012-02-172-28/+76
| | | | | | | | Also have a reasonable fallback for when it is not set. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Allow NTLMSSP features to be disabled with smb.conf options for testingAndrew Bartlett2012-02-171-9/+23
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Use the lpcfg_ wrapper calls to set some variablesAndrew Bartlett2012-02-171-31/+10
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Remove a layer of indirection and reorder to match ↵Andrew Bartlett2012-02-171-18/+15
| | | | gensec_ntlmssp_server_start()
* s3-auth: Only allow LM_KEY cryptography when extra options are setAndrew Bartlett2012-02-171-1/+6
| | | | | | | | | | This crypto is incredibly poor, and can technically be enabled on an otherwise more secure connection that uses NTLM for the actual authentication leg. Therefore disable it by default. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Inline ntlmssp_server_start() into gensec_ntlmssp3_server_start()Andrew Bartlett2012-02-171-9/+60
| | | | | | | | This will help syncing this rotuine up with gensec_ntlmssp_server_start(). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_serverAndrew Bartlett2012-02-171-21/+1
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Use common gensec_ntlmssp server functions for more of ↵Andrew Bartlett2012-02-171-182/+2
| | | | | | | | | | | gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett2012-02-171-0/+16
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett2012-02-173-59/+259
| | | | | | | | | | | | | | auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* Rename obscure defined constants.Christopher R. Hertel (crh)2012-02-161-2/+2
| | | | | | | | | | | | | | | Replaced the undescriptive SMB_PORT1 and SMB_PORT2 defined constants with the slightly more descriptive names NBT_SMB_PORT and TCP_SMB_PORT. Also replaced several hard-coded references to the well-known port numbers (139 and 445, respectively) as appropriate. Small changes to clarify some comments regarding the two transport types. Signed-off-by: Simo Sorce <idra@samba.org> Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Thu Feb 16 08:29:41 CET 2012 on sn-devel-104
* s3-auth: On successful user mapping set mapped_to_guest to false.Sumit Bose2012-02-131-0/+1
| | | | | Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Mon Feb 13 13:09:10 CET 2012 on sn-devel-104
* s3-auth Add const to make_user_info_mapAndrew Bartlett2012-02-082-4/+4
|
* s3:auth: fill the sids array of the info3 in ↵Stefan Metzmacher2012-02-021-0/+53
| | | | | | | | | | | | | wbcAuthUserInfo_to_netr_SamInfo3() (bug #8739) Originally, only the rid array was filled and foreign domain sids were omitted. Pair-Programmed-With: Michael Adam <obnox@samba.org> metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Feb 2 12:59:32 CET 2012 on sn-devel-104
* s3:auth: fix potential gap creation in wbcsids_to_samr_RidWithAttributeArray()Stefan Metzmacher2012-02-021-4/+5
| | | | | | Pair-Programmed-With: Michael Adam <obnox@samba.org> metze
* s3:auth/auth_generic: make use of gensec_spnego in the serverStefan Metzmacher2012-01-311-4/+9
| | | | metze
* s3-auth: Remove duplicate check for NT_STATUS_IS_OK(nt_status)Andrew Bartlett2012-01-301-4/+0
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jan 30 09:38:47 CET 2012 on sn-devel-104
* auth: Make check_password and generate_session_info hook genericAndrew Bartlett2012-01-301-14/+19
| | | | | | | | gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
* s3-pdb: Break SECRETS3 dependency on PDB.Simo Sorce2012-01-271-1/+1
| | | | | | | | | | | | | | | This is causing circular depdnendcies that bring libpdb in all code and this is BAD. This change 'protects' the sid and guid of the domain by adding a special key that makes them effectively read only. Limit this temporarily to the samba 4 build, once it gets some good testing the samba4 ifdefs can be dropped. fix pdb dependencies Signed-off-by: Andreas Schneider <asn@samba.org>
* s3:auth/auth_generic: for now call sub_set_smb_name() and lp_load()Stefan Metzmacher2012-01-261-0/+6
| | | | | | | | | This matches the auth_ntlmssp case and the smbd/sesssetup.c code. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 26 17:58:17 CET 2012 on sn-devel-104
* s3-gensec: Add hook to allow gensec to know if kerberos is permittedAndrew Bartlett2012-01-181-0/+24
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-librpc Call GSSAPI via the auth_generic layer and gensecAndrew Bartlett2012-01-181-1/+6
| | | | | | | | | | This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped when required for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Match session setup handling of krb5, store the PACAndrew Bartlett2012-01-181-1/+4
| | | | | | | | | This will allow non-krb5 services to get the full user groups without need to do an online s4u2self. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Add auth hook for PAC parsingAndrew Bartlett2012-01-181-2/+128
| | | | | | | | | | | This will allow gensec_gse to parse the PAC. This is a copy from source3/rpc_server/dcesrv_generic.c to preserve behaviour. A future commit will enable the samlogon cache. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-waf: auth_netlogond depends on tldap.Andreas Schneider2012-01-121-0/+1
| | | | | Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Thu Jan 12 17:33:10 CET 2012 on sn-devel-104
* s3-auth Remove more unused headersAndrew Bartlett2012-01-051-3/+0
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth remove unused ntlmssp.hAndrew Bartlett2012-01-051-1/+0
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Remove ntlmssp_wrap.h which is no longer requiredAndrew Bartlett2012-01-052-2/+0
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth use gensec directly rather than via auth_generic_stateAndrew Bartlett2012-01-052-44/+24
| | | | | | | | | This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
generated by cgit (git 2.34.1) at 2026-03-02 16:35:33 +0000