summaryrefslogtreecommitdiffstats
path: root/source4/auth/sam.c
Commit message (Collapse)AuthorAgeFilesLines
* auth: Split out fetching trusted domain into sam_get_results_trust()Andrew Bartlett2014-09-011-0/+74
| | | | | | | | | | This new helper function will also be used by pdb_samba_dsdb. Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Support password history correctly, including allowing NTLM logins ↵Andrew Bartlett2014-04-021-0/+2
| | | | | | | | | | | | | | | using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-100/+0
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out badPwdCount update into a helper functionAndrew Bartlett2014-04-021-48/+79
| | | | | | | | | | This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and ↵Andrew Bartlett2014-04-021-0/+61
| | | | | | | | lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-021-0/+117
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-021-4/+4
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/sam: use a higher time resolution in authsam_account_ok()Stefan Metzmacher2014-04-021-2/+2
| | | | | | Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: avoid str_list related const warningsStefan Metzmacher2014-04-021-2/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove the remaining uses of the macro NT_STATUS_HAVE_NO_MEMORY_AND_FREE in ↵Garming Sam2014-03-051-14/+28
| | | | | | | | | | | | | the codebase. Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: Id1b540cde127395a7b27385a7c0fe79f3a145c73 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-10/+40
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4-sam: don't look in GC NCs for user accountsAndrew Tridgell2011-10-041-2/+6
| | | | | | We need to exclude GC partial replica naming contexts from SAM lookups Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2011-06-241-0/+1
| | | | metze
* s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2011-02-091-80/+84
| | | | | | | | | | | | | This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
* s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett2011-01-201-37/+31
| | | | | | | | | | | | This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
* s4-auth Add function to obtain any user's session_info from a given LDBAndrew Bartlett2011-01-141-0/+84
| | | | | | | | | | | This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
* s4-auth use new dsdb_expand_nested_groups()Andrew Bartlett2011-01-141-146/+5
| | | | | | | | This isn't quite as good as using tokenGroups, but that is only available for BASE searches, and this isn't how the all the callers work at the moment. Andrew Bartlett
* s4:dsdb/common/util_samr.c and auth/sam.c - fix error messageMatthias Dieter Wallnöfer2010-12-041-1/+1
|
* s4:auth/sam.c - when printing out a string buffer we don't strictly need the ↵Matthias Dieter Wallnöfer2010-12-031-2/+2
| | | | | | | | | width The precision (maximum numbers of characters) should be enough. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 10:26:39 CET 2010 on sn-devel-104
* s4:auth/sam.c - the check for the SAMDB needs to be on the top of the callMatthias Dieter Wallnöfer2010-12-031-6/+5
| | | | Otherwise it's really useless.
* s4:auth/sam.c - fix the free of memory contextsMatthias Dieter Wallnöfer2010-12-031-1/+1
| | | | "tmp_ctx" needs always to be freed ("res" is freed implicitly)
* s4:auth/sam.c - specify the SID ignore case betterMatthias Dieter Wallnöfer2010-12-031-1/+7
| | | | As per suggestion by metze.
* s4:auth/sam.c-"authsam_expand_nested_groups" - don't fail if we've ↵Matthias Dieter Wallnöfer2010-12-021-4/+4
| | | | | | | | | | | | memberships on non-SAM objects This can be expected (think at a membership of a "groupOfNames" group) and we shouldn't blame about it. This fixes a bug reported on the technical mailing list. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 2 17:17:56 CET 2010 on sn-devel-104
* s4-auth Add DEBUG() for invalid DNs and errors expanding user groups.Andrew Bartlett2010-10-191-0/+5
| | | | | | | Against the OpenLDAP backend, I currently get failures. This makes it possible to debug those failures. Andrew Bartlett
* s4:dsdb - remove "samdb_result_uint", "samdb_result_int64", ↵Matthias Dieter Wallnöfer2010-10-151-10/+10
| | | | | | | | | "samdb_result_uint64" and "samdb_result_string" We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this reduces only code redundancies. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PACAndrew Tridgell2010-09-291-0/+16
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-sam: fixed termination of krbtgt_attrs (comma and NULL)Andrew Tridgell2010-09-281-4/+4
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett2010-09-291-0/+1
| | | | Andrew Bartlett
* s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell2010-09-261-0/+16
| | | | | | | | | | | the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
* s4-auth: make the disabled acct messages a bit less verboseAndrew Tridgell2010-09-021-6/+6
| | | | | | raise the debug level Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:auth Avoid doing database lookups for NT AUTHORITY usersAndrew Bartlett2010-08-181-0/+6
|
* Revert "s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if ↵Matthias Dieter Wallnöfer2010-06-291-21/+4
| | | | | | | | not available in the DN." This reverts commit fa9557fee3ca546878d99b77f1ff37f724c37024. See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
* s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDCAndrew Bartlett2010-06-291-0/+1
| | | | | | The KDC needs this to determine what encryption types an entry supports Andrew Bartlett
* s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvementMatthias Dieter Wallnöfer2010-06-281-3/+7
| | | | | We can save one search operation if "only_childs" is false and when we had no SID passed as extended DN component.
* s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/commentsMatthias Dieter Wallnöfer2010-06-281-9/+11
|
* s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where ↵Matthias Dieter Wallnöfer2010-06-281-3/+11
| | | | | | possible And always catch LDB errors
* s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not ↵Endi S. Dewata2010-06-281-1/+8
| | | | | | available in the DN. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
* s4:auth Remove un-needed headers.Andrew Bartlett2010-05-211-4/+0
|
* s4:auth Fix previous commit - segfault in determinging a user's groupsAndrew Bartlett2010-05-211-5/+3
| | | | | | The previous commit didn't include these vital fixes. Andrew Bartlett
* s4:auth Error out when a memberOf DN does not have a SIDAndrew Bartlett2010-05-211-13/+8
| | | | | | We previously segfaulted if this was not the case. Andrew Bartlett
* s4:auth handle addition of nested aliases of domain groups.Andrew Bartlett2010-05-201-8/+8
| | | | | | | | | The challenge here is that we are asked not to add the domain groups again, but we need to search inside them for any aliases that we need to add. So, we can't short-circuit the operation just because we found the domain group. Andrew Bartlett
* s4:auth Move BUILTIN group addition into session.cAndrew Bartlett2010-05-201-72/+110
| | | | | | | | The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
* s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett2010-04-141-0/+1
| | | | | | | | | | | | | | | | | | The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
* s4:auth/sam.c - change base context for the "tmp_ctx" context in ↵Matthias Dieter Wallnöfer2010-03-041-1/+1
| | | | | | | "authsam_expand_nested_groups" Better use the "res_sids_ctx" as base context for the "tmp_ctx" and not the long-living "sam_ctx"/"ldb" context to prevent memory leaks.
* s4:sam.c - make "authsam_expand_nested_groups" publicMatthias Dieter Wallnöfer2010-03-041-1/+1
| | | | This is needed by the "tokenGroups" work in the operational LDB module.
* s4:sam.c - cosmetic indentation fixMatthias Dieter Wallnöfer2010-03-041-2/+1
|
* s4:sam.c - change variable types to unsigned in "sids_contains_sid"Matthias Dieter Wallnöfer2010-03-041-3/+4
| | | | Should also be unsigned - no need for a signed "i" and "num_sids" here.
* s4:auth - make some parts "signed-safe"Matthias Dieter Wallnöfer2010-02-251-3/+4
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Spelling fixes for source4/auth.Brad Hards2010-02-221-1/+1
| | | | | | The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above. Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
* s4-dsdb: removed gendb_search_single_extended_dn()Andrew Tridgell2010-02-161-2/+3
| | | | | | Use dsdb_search_one() instead, which allows for arbitrary controls Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2025-09-26 09:32:45 +0000