summaryrefslogtreecommitdiffstats
path: root/source/auth
Commit message (Collapse)AuthorAgeFilesLines
* Make 'remote_machine' private to lib/substitute.c, and fix all the user to useAndrew Bartlett2002-08-111-3/+2
| | | | | | the new accessor functions. Andrew Bartlett
* This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell2002-08-051-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm
* Let everybody enjoy my new toy - make it the default!Andrew Bartlett2002-07-311-2/+2
| | | | | | | | | | | Authenticaions will now attempt to use winbind, and only fall back to 'ntdomain' (the old security=domain) code if that fails (for any reason, including wrong password). I'll fix up the authenticaion code to better handle the different types of failures in the near future. Andrew Bartlett
* Winbind updates!Andrew Bartlett2002-07-311-21/+49
| | | | | | | | | | | | | | | | This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett
* the ads_connect() here doesn't need to actually succeed, as its onlyAndrew Tridgell2002-07-311-3/+1
| | | | needed to find the DC IP. Just don't check its return value!
* Fix the build for now..Jim McDonough2002-07-301-1/+1
| | | | Tridge, please look at this. Did you mean to take out the last parm?
* net ads info now reports the IP of the LDAP server as well as its name - ↵Andrew Tridgell2002-07-301-4/+6
| | | | very useful in scripts
* a couple more minor tweaks. This now allows us to operate in ADS modeAndrew Tridgell2002-07-301-4/+3
| | | | | without any 'realm =' or 'ads server =' options at all, as long as DNS is working right.
* 2nd try at a fix for netbiosless connections to a ADS DC. This alsoAndrew Tridgell2002-07-301-31/+90
| | | | | make the code a fair bit cleaner as it splits up the ADS and RPC cases, which really are very different.
* removed a gratuitous standard_sub_basic() on the 'password server'Andrew Tridgell2002-07-301-2/+0
| | | | field. This has got to be pointless.
* - if we are in ADS mode then avoid an expensive netbios lookup to findAndrew Tridgell2002-07-301-7/+16
| | | | | | | | the servers netbios name when we don't need it. This also fixes ADS mode when the DC has netbios disabled. - if the password server is specified as an IP then actually use that IP, don't do a lookup for the servers name :)
* found nasty bug in intl/lang_tdb.c tdb structure was not tested to not be ↵Simo Sorce2002-07-281-7/+7
| | | | | | | | | | | | null before close this one fixes swat not working with browsers that set more then one language. along the way implemented language priority in web/neg_lang.c with bubble sort also changet str_list_make to be able to use a different separator string Simo.
* Renamed all the new_cli_netlogon_* functions to cli_netlogon_*Tim Potter2002-07-211-1/+1
| | | | as they're no longer new!
* Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett2002-07-201-1/+1
| | | | | | | | distinction between uchar and char). Lots of const etc. Andrew Bartlett
* Add support for a weird behaviour apparently used by Win9X pass-throughAndrew Bartlett2002-07-201-2/+17
| | | | | | | | | | authentication - we can have an NT hash in the LM hash feild. (I need to double-check this fix with tpot, who discovered it). Also remove silly casts back and forth between uchar and char. Andrew Bartlett
* NT_STATUS_UNSUCCESSFUL just gets clients confused - move to NO_LOGON_SERVERSAndrew Bartlett2002-07-201-11/+11
| | | | | | | | | | becouse thats what Win2k gives when the PDC is down. Some of these might better go to other errors, but the Win2k text message for 'unsuccessful' is not particularly useful. (A device attached to the system is not functioning...) Andrew Bartlett
* Make it clear that the debug comment is the same as the command being testedAndrew Bartlett2002-07-091-1/+1
| | | | | | for failure. Andrew Bartlett
* Address the string_sub problem by changing len = 0 to mean "no expand".Jeremy Allison2002-07-023-3/+3
| | | | | | Went through and checked all string_subs I could to ensure they're being used correctly. Jeremy.
* Update cli_full_connection() to take a 'flags' paramater, and try to get aAndrew Bartlett2002-06-251-1/+1
| | | | | | few more places to use it. Andrew Bartlett
* Try to get security=domain at least slightly working.Andrew Bartlett2002-06-242-8/+13
| | | | | | | | | | | | | The previous code both had basic logic flaws in it, and some subtle issues regarding the Win2k info3 response. I've tested this against Samba (it looks like that was missed last time due to the 'called name' corruption - which broke my testsuite) and accomidated what I've seen from a info3 printout jmcd gave me. I'll get this tested fully as soon as I get my VMware going again. Andrew Bartlett
* This patch does 2 things:Andrew Bartlett2002-06-153-96/+225
| | | | | | | | | | | | | | | It extends the 'server mutex' to conver security=server, becouse the connection race condition exists here too, and while people *should* use security=domain, some sites don't.... (This probably should be done in 2.2 as well). Also, start to actually extract and use the information that the remote server returns in the info3 struct. The server mutex code is now in a new file. Andrew Bartlett
* Add another 'trivial' built in authentication module - this one is aAndrew Bartlett2002-06-151-0/+50
| | | | | | | | | | deveopers hack to always send a fixed challange, for the benifit of tutorials and packet sniffing etc. Enabling this module removes all security, so its a --enable-developer option. Andrew Bartlett
* It appears that to match NT we should not use the 'samstrict' behaviour,Andrew Bartlett2002-06-151-3/+5
| | | | and that local accounts are perfectly fine.
* moved lp_list_* functions away from param/loadparm.c, put int lib/util_str.cSimo Sorce2002-06-141-10/+10
| | | | | and renamed to str_list_* as it is a better name. Elrond should be satisfied now :)
* Spelling.Tim Potter2002-06-121-1/+1
|
* Spelling fixes.Tim Potter2002-06-121-1/+1
|
* More cleanup work preparing for SMB signing.Jeremy Allison2002-06-011-3/+3
| | | | Jeremy.
* Spelling fixes.Tim Potter2002-05-281-7/+7
|
* Clean up a few unused functions, add a bit of static etc.Andrew Bartlett2002-05-251-28/+0
| | | | | | | | | | | | | | Importantly: The removal of the silly 'delete user script' behaviour when secuity=domain. I have left the name the same - as it still does the (previously documented, but not in smb.conf(5)) sane behaviour of deleting users on request. When we decide what to do with the 'add user' functionality, we might rename it. Andrew Bartlett
* Name the authentication modules, and therfore fix up both the build farmAndrew Bartlett2002-05-244-0/+6
| | | | | | | | and secuirty=server. I *love* automated testing... Andrew Bartlett
* Remove the password length paramater from cli_full_connection - it reallyAndrew Bartlett2002-05-241-1/+1
| | | | | | | | didn't make any sense, and its was always just strlen(password) anyway. This fixes it to be strlen(password)+1 Andrew Bartlett
* Move the authenticaion subsystem over to the same 'module:options' syntaxAndrew Bartlett2002-05-248-38/+106
| | | | | | | | | | that the passdb code now uses. Similarly, move the 'pluggable' stuff over from passdb as well, allowing runtime loading of new authenticaion modules. (NOTE: The interfaces here can *and do* change - module writers are not assured source-level compatibilty, and certainly not binary compatibility).
* Nobody uses this function, and there really doesn't seem much point toAndrew Bartlett2002-05-221-20/+0
| | | | | | it, so we may as well reduce the complexity. Andrew Bartlett
* Cleanups!Andrew Bartlett2002-05-223-44/+30
| | | | | | | | | | Make some code static, add some const to the PAM code, and make the plaintext password code actually function - particulary without the requirement to modify the 'struct passwd' (which it assumed was made up of fstrings) This kills some particularly ugly code in lib/util_pw.c Andrew Bartlett
* typo day :-(Simo Sorce2002-05-211-1/+1
|
* typo, sorrySimo Sorce2002-05-2111-11/+11
|
* debug classizedSimo Sorce2002-05-2112-0/+36
|
* Ensure auth requests from the same machine are completely serialized.Jeremy Allison2002-04-221-5/+40
| | | | | NT4.x DC's require this. Jeremy.
* Partly based on the work by mimir (Rafal SzczesniakAndrew Bartlett2002-04-141-1/+1
| | | | | | | | | | | | | | <mimir@diament.ists.pwr.wroc.pl>) this patch allows samba to correctly enumerate its trusted domains - by exaimining the keys in the secrets.tdb file. This patch has been tested with both NT4 and rpcclient/wbinfo, and adds some extra functionality to talloc and rpc_parse to allow it to deal with already unicode strings. Finally, this cleans up some const warnings that were in net_rpc.c by pushing another dash of const into the rpc client code. Andrew Bartlett
* Spelling.Tim Potter2002-04-071-1/+1
|
* Moved debug messages for grabbing/releasing mutex.Jeremy Allison2002-03-271-2/+0
| | | | Jeremy.
* Don't hold the mutex for more than 20 seconds.Jeremy Allison2002-03-261-2/+4
| | | | Jeremy.
* Spelling fixes.Tim Potter2002-03-241-1/+1
|
* Extra parinoa and DEBUG()s for the make_user_info_map() code.Andrew Bartlett2002-03-231-4/+18
|
* Renamed get_nt_error_msg() to nt_errstr().Tim Potter2002-03-172-5/+5
|
* Ensure we never use "" as a domain name (Win9X apparently does this for 'net ↵Andrew Bartlett2002-03-131-1/+6
| | | | | | | | use' duirng login). Picked up from a post to a TNG list by Volker. Andrew Bartlett
* Allow Samba to trust NT4 Domains.Andrew Bartlett2002-03-022-16/+122
| | | | | | | | | | | | | | | | This commit builds on the auth subsystem to give Samba support for trusting NT4 domains. It is off by default, but is enabled by adding 'trustdomain' to the 'auth methods' smb.conf paramater. Tested against NT4 only - there are still some issues with the join code for Win2k servers (spnego stuff). The main work TODO involves enumerating the trusted domains (including the RPC calls to match), and getting winbind to run on the PDC correctly. Similarly, work remains on getting NT4 to trust Samba domains. Andrew Bartlett
* SECURITY FIXES:Andrew Bartlett2002-03-011-6/+4
| | | | | | | | | Remove a stray 'unbecome_root()' in the ntdomain an auth failure case. Only allow trust accounts to request a challange in srv_netlogon_nt.c. Currently any user can be the 'machine' for the domain logon. MERGE for 2.2. Andrew Bartlett
* Various comment fixes from Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>Andrew Bartlett2002-03-011-1/+1
|
* Ensure that winbindd and smbd both use identical logic to find dc's.Jeremy Allison2002-02-281-11/+12
| | | | | Fix bug where zeroip addresses were being checked. Jeremy.
generated by cgit (git 2.34.1) at 2025-09-26 21:09:17 +0000