| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors
- make auth_winbind load the ntdomain module if winbind isn't there.
- use new trusted domains cache to determine if the domain is valid.
Andrew Bartlett
(This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|
| |
|
|
| |
(This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9)
|
| |
|
|
| |
(This used to be commit 738a2b055a0757002e8cdcbf744c8663e0e26bc2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
| |
|
|
| |
(This used to be commit 051b33e98f94ad09b4d8816a88e78715e7dc2a5e)
|
| |
|
|
|
|
|
|
|
|
| |
'set_local_machine_name' so that the client can't change it from under us.
(.NET RC2 and WinXP install calls the machine 'machinename' during NTLMSSP
on the domain join).
Andrew Bartlett
(This used to be commit 4c7163e7c2cc09bd95faa05156ee480957a7a4d8)
|
| |
|
|
| |
(This used to be commit 7a2566f2e922191e691b6dafb1a09e22913cccd6)
|
| |
|
|
| |
(This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- user_ok() and user_in_group() now take a list of groups, instead of
looking for the user in the members of all groups.
- The 'server_info' returned from the authentication is now kept around
- in future we won't copy the sesion key, username etc, we will just
referece them directly.
- rhosts upgraded to use the SAM if possible, otherwise fake up based on
getpwnam().
- auth_util code to deal with groups upgraded to deal with non-winbind domain
members again.
Andrew Bartlett
(This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
|
| |
|
|
|
|
|
| |
interop with clients not in our domain.
Andrew Bartlett
(This used to be commit 6aa3aba3db604d481dc96c3befe066938cb1b0f3)
|
| |
|
|
|
|
| |
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
|
| |
|
|
|
|
|
|
|
|
|
| |
- use safe_strcpy() instead of pstrcpy() for malloc()ed strings
- CUPS: a failure in an attempt to automaticly add a printer is not level 0 stuff.
- Fix up a possible Realloc() failure segfault
Andrew Bartlett
(This used to be commit c1cfc296c2efdb2b5972202146e80f0e3b6a3da4)
|
| |
|
|
|
| |
Andrew Bartlett
(This used to be commit 830de56bf2f47412acfebf6c6353ab4b98c8517e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
- also consequential changes to the NTLMSSP and SPNEGO parsing functions
- and the client code that uses the same functions
- Add ntlm_auth, a NTLMSSP authentication interface for use by applications
like Squid and Apache.
- also consquential changes to use common code for base64 encode/decode.
- Winbind changes to support ntlm_auth (I don't want this program to need
to read smb.conf, instead getting all it's details over the pipe).
- nmbd changes for fstrcat() instead of fstrcpy().
Andrew Bartlett
(This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
|
| |\
| |
| |
| | |
used to be commit b741abd496621586040081c04674ae53cb5db47c)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
of the SWAT code, and adding a base64 encoder.
The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for
use with Squid. Unfortunetly the squid side doesn't quite support what we need
yet.
Changes to winbind to get us the info we need, and a couple of consequential
changes/cleanups in the rest of the code.
Andrew Bartlett
(This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
|
| | |
| |
| |
| |
| |
| |
| | |
challenge in the NTLMSSP context.
Andrew Bartlett
(This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- fix a crash when a second NTLMSSP session tried to free the first
- fix a crash due to some NULL pointers in the Add Printer Wizard (or read
printer code too it appears). As far as I can tell it's just that the
GUID just might not exist.
Andrew Bartlett
(This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
|
| | |
| |
| |
| |
| | |
Jeremy.
(This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
last changed at '0'.
We need to actually change this password sometime...
Andrew Bartlett
(This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Controller. As we have had a number of attempts at this over the last little
while, I need to get my test rig going, and give this whole area a poke...
Meanwhile, if you want to use this, just adjust your 'auth methods' line to use
samstrict_dc...
Andrew Bartlett
(This used to be commit 18e598ec24493026008fcfe486057555b8832108)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This tries to extract our server-side code out of sessetup.c, and into a more
general lib. I hope this is only a temporay resting place - I indend to
refactor it again into an auth-subsystem independent lib, using callbacks.
Move some of our our NTLMSSP #defines into a new file, and add two that I found
in the COMsource docs - we seem to have a double-up, but I've verified from
traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real.
This code also copes with ASCII clients - not that we will ever see any here,
but I hope to use this for HTTP, were we can get them. Win2k authenticates
fine under forced ASCII, btw.
Tested with Win2k, NTLMv2 and Samba's smbclient.
Andrew Bartlett
(This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Realloc()ed, causing it to fail.
Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and
valgrind traces!
Andrew Bartlett
(This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
|
| | |
| |
| |
| |
| |
| |
| | |
(signed/unsigned mixup).
Andrew Bartlett
(This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
routines). In particular, we now better support the NT# in LM feild, and the
LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly
more secure, and in the LM feild for compatiblity).
Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this
algorithm, and to MS for a solution that seems to actually make sense for once
:-).
Andrew Bartlett
(This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
don't need a second just for pdb.
Also, remove magic 'is lp_guest_account' test - the magic RID should be
up to the passdb backend to set.
Andrew Bartlett
(This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch makes Samba compile cleanly with -Wwrite-strings.
- That is, all string literals are marked as 'const'. These strings are
always read only, this just marks them as such for passing to other functions.
What is most supprising is that I didn't need to change more than a few lines of code (all
in 'net', which got a small cleanup of net.h and extern variables). The rest
is just adding a lot of 'const'.
As far as I can tell, I have not added any new warnings - apart from making all
of tdbutil.c's function const (so they warn for adding that const string to
struct).
Andrew Bartlett
(This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
|
| | |
| |
| |
| |
| | |
Jeremy.
(This used to be commit 784d15761c3271bfd602866f8f9f880dac77671c)
|
| | |
| |
| |
| |
| |
| | |
named. Ensure we can query them.
Jeremy.
(This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
|
| | |
| |
| |
| |
| |
| | |
server = DC1 *
(This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
|
| | |
| |
| |
| |
| | |
Jeremy.
(This used to be commit ff3a8d37289216a2cb808406044a7abef1e564d0)
|
| | |
| |
| |
| | |
(This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
90% fix for CR 1076. The password server parameter will no take things
like
password server = DC1 *
which means to contact DC1 first and the go to auto lookup if it
fails.
jerry
(This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- add static remove unnneded prototype
- move become_root() to just around pdb calls, so as to make it easier to
remove when we kill off this silly idea
- Change auth_sam to do 'account before password' rather than 'password before
account'. This means that we match Win2k in giving 'account disabled' instead
of 'wrong password' if the wrong password to a disabled account is used.
Andrew Bartlett
(This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77)
|
| | |
| |
| |
| |
| |
| |
| | |
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
|
| | |
| |
| |
| |
| | |
Jeremy.
(This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88)
|
| | |
| |
| |
| |
| | |
lp_machine_password_timeout() is set to zero.
(This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df)
|
| | |
| |
| |
| |
| | |
than the version in APPLIANCE so watch out for boogs.
(This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
|
| | |
| |
| |
| |
| |
| |
| | |
NULL.
Andrew Bartlett
(This used to be commit 2115335857acd2c4f5c89b95227b3762f4c052b0)
|
| | |
| |
| |
| | |
(This used to be commit 918099f09618136c371e199803f5895f9cb702be)
|
| | |
| |
| |
| |
| |
| | |
that app-head does.
Jeremy.
(This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
(This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
|
| | |
| |
| |
| |
| | |
from APP_HEAD
(This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Basicly, the password and the salt must be taken from the same place in both
passwd and shadow based systems. Taking salt from one, and password from the
other just doesn't work.
So pull them from passwd, then overwrite them if need be.
When modifying this file, watch the #ifdef hell - as vl found out, some
variables are globals - but only with #ifndef WITH_PAM, and the code jumps all
over the place with the password cracker.
Getting double-reviews of any change to this file highly advised, it is one of
our most system-specifc areas of code.
(So now I get to take the blame for this one... :-)
Andrew Bartlett
(This used to be commit f39f167900db3f06ec3c52c3ddf61e8bf3d57f56)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Volker, I would like to understand what you are trying to do here...
I'll trust that it's broken (this code is certainly not well tested) but I do
want to keep a close eye on the fixes...
Andrew Bartlett
(This used to be commit 4b72f84cf9bc3f7583318d5dff97257f9dc5b87f)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security = user', 'encrypt passwords = no' did not work anymore.
This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam.
I can provide a config.log / config.h on demand.
Please re-check for consequences, I don't really oversee that file.
Thanks,
Volker
(This used to be commit ba754b57ddb78dadedcb7b5877cbee5bab08181e)
|
| | |
| |
| |
| |
| |
| |
| |
| | |
NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want
to make it easy to check they don't get out of wack.
Andrew Bartlett
(This used to be commit a3882a19254811ace2f9545580c14ce3bd588095)
|
| | |
| |
| |
| |
| | |
the DC being out of sync with the local machine.
(This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
|
| | |
| |
| |
| | |
(This used to be commit 2011a38f3bd1e51aa1ca0219a9e46da12426cbc3)
|
