summaryrefslogtreecommitdiffstats
path: root/source/auth
Commit message (Collapse)AuthorAgeFilesLines
* some more idmapping :)Simo Sorce2003-04-051-5/+7
|
* Map a useless error code to a useful one...Andrew Bartlett2003-04-021-0/+5
|
* - Support building all auth modules as .so'sJelmer Vernooij2003-03-251-1/+1
| | | | - Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>)
* Make auth.c compile again. I'm not sure what this does though...Volker Lendecke2003-03-251-2/+3
| | | | Volker
* - Add support to auth/ for the new modules systemJelmer Vernooij2003-03-248-81/+103
| | | | - Quite some small fixes (also fixes the build)
* Fix compile.Andrew Bartlett2003-03-231-2/+2
|
* NTLM Authentication:Andrew Bartlett2003-03-232-7/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett
* Fix some comment typosJelmer Vernooij2003-03-191-2/+2
|
* Now that mimir has done the grunt work, I'll fix up the commentAndrew Bartlett2003-03-151-4/+1
|
* Extending code to work both in case of domain membershipRafal Szczesniak2003-03-141-1/+1
| | | | | | | | | and domain controller respecting interdomain trust relationships. In the latter case we need to find DC of remote domain instead of ours. In the former 'domain' is our domain name. Rafal
* Fresh meat in trusted domains code:Rafal Szczesniak2003-03-141-20/+6
| | | | | | | | | | | | | | | - packing/unpacking utility functions for trusted domain password struct; can be used to prepare buffer to store in secrets.tdb or (soon) passdb backend - similiar functions for DOM_SID - respectively modified secrets_(fetch|store) routines - new auth mapping code utilising introduced is_trusted_domain function - added tdb (un)packing of single bytes Rafal
* Make sure that the 'remote' machine name can only be set once. For some weirdAndrew Bartlett2003-03-081-1/+1
| | | | | | | | | | | | reason, during a Win2003 installation, when you select 'domain join' it sends one machine name in the name exchange, and litraly 'machinename' during the NTLMSSP login. Also fix up winbindd's logfile handling, so that it matches smbd and nmbd. (This helps me, by seperating the logs by pid). Andrew Bartlett
* Doxygen janitor: rpc_resolve_dc parameter is spelled "trust_passwd"Martin Pool2003-02-281-1/+1
|
* Doxygen janitor: check_domain_match parameter is spelledMartin Pool2003-02-281-2/+2
| | | | "auth_context".
* Make sure we set the error code to indicate failure...Andrew Bartlett2003-02-221-2/+11
| | | | Andrew Bartlett
* See if I can make this look slightly like C. It compiled locally, honest...Andrew Bartlett2003-02-221-3/+4
| | | | Andrew Bartlett
* First check if the user is in the passdb, then check Get_Pwnam().Andrew Bartlett2003-02-222-31/+61
| | | | | | | | | | We check passdb becouse the user might have things like a logon script set, but we have to check the passdb becouse the user might not be in smbpasswd at all. This is in preperation for the removal of unixsam as an assuption. Andrew Bartlett
* For a number of months now, support for being a domain member without alsoAndrew Bartlett2003-02-201-25/+14
| | | | | | | | running winbind has been broken. This fixes that, by removing assumptions about being able to call sid_to_uid() at will. This whole area needs revising when we get groups into the PDB. Andrew Bartlett
* If we didn't make the server_info correctly, then don't segfault trying toAndrew Bartlett2003-02-171-1/+3
| | | | | | set the 'guest' bit. Andrew Bartlett
* Add the 'session key' output of the NTLMSSP exchange to the cli struct, soAndrew Bartlett2003-02-162-3/+23
| | | | | | | | | it can be used for 'net rpc join'. Also fix a bug in our server-side NTLMSSP code - a client without any domain trust links to us may calculate the NTLMv2 response with "" as the domain. Andrew Bartlett
* Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison2003-02-141-2/+2
| | | | | Needed to move to disk based i/o later. Jeremy.
* Some cleanups:Andrew Bartlett2003-02-104-5/+12
| | | | | | | | | | | | | | | - Don't use pstrcpy into an allocated string - use safe_strcpy() directly instead. - Keep a copy of the 'server_info' attached to the vuid. In future use this for things like the session key, homedir and full name instead of current copies. - Try to avoid memory leak/segfault on Realloc failure - clear up #endif comments Andrew Bartlett
* Actually checking both the account and password tests would be a good idea...Andrew Bartlett2003-02-041-2/+2
| | | | Andrew Bartlett
* Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett2003-01-161-4/+5
| | | | | | | | | | | | | of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett
* Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett2003-01-151-225/+78
| | | | | | challenge in the NTLMSSP context. Andrew Bartlett
* Crash fixes:Andrew Bartlett2003-01-151-0/+1
| | | | | | | | | - fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett
* Missing indirect in final free.Jeremy Allison2003-01-131-2/+2
| | | | Jeremy.
* Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett2003-01-131-1/+2
| | | | | | | | last changed at '0'. We need to actually change this password sometime... Andrew Bartlett
* Patch from metze to add what he feels is the correct semantics for a DomainAndrew Bartlett2003-01-132-0/+44
| | | | | | | | | | Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett
* Updates to our NTLMSSP code:Andrew Bartlett2003-01-132-1/+293
| | | | | | | | | | | | | | | | | | This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett
* Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett2003-01-131-4/+4
| | | | | | | | | Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett
* Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett2003-01-111-3/+3
| | | | | | (signed/unsigned mixup). Andrew Bartlett
* Clear up the auth_sam password checking code (the core of our password checkingAndrew Bartlett2003-01-051-33/+58
| | | | | | | | | | | | routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett
* We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett2003-01-021-5/+5
| | | | | | | | | don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett
* BIG patch...Andrew Bartlett2003-01-022-4/+4
| | | | | | | | | | | | | | | | This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett
* Finish adding strings to all talloc_init() calls.Jeremy Allison2002-12-231-2/+1
| | | | Jeremy.
* Forward port the change to talloc_init() to make all talloc contextsJeremy Allison2002-12-201-4/+4
| | | | | named. Ensure we can query them. Jeremy.
* merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter2002-12-121-90/+10
| | | | server = DC1 *
* Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.Jeremy Allison2002-12-112-68/+58
| | | | Jeremy.
* Make it clear that we might not be talking to a PDC here.Andrew Bartlett2002-12-011-1/+1
|
* [merge from APP_HEAD]Gerald Carter2002-11-231-2/+3
| | | | | | | | | | | | | 90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry
* Small auth updates:Andrew Bartlett2002-11-154-11/+6
| | | | | | | | | | | - add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett
* Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison2002-11-125-17/+15
| | | | | | dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy.
* Fix bug found by tpot with given password server.Jeremy Allison2002-11-091-1/+1
| | | | Jeremy.
* Don't set global_machine_password_needs_changing ifTim Potter2002-11-081-4/+6
| | | | lp_machine_password_timeout() is set to zero.
* Merge of get_dc_list() api change. This was slightly more intrusiveTim Potter2002-11-061-2/+17
| | | | than the version in APPLIANCE so watch out for boogs.
* Move to the use of the 'initialised' flag, rather than the fact the pointer isAndrew Bartlett2002-11-041-8/+9
| | | | | | NULL. Andrew Bartlett
* make_server_info_guest() can need root for the ldapsam backendAndrew Tridgell2002-11-031-1/+4
|
* Added new error codes. Fix up connection code to retry in the same wayJeremy Allison2002-10-171-10/+23
| | | | | that app-head does. Jeremy.
* Nice *big* patch from metze.Andrew Bartlett2002-10-122-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett
generated by cgit (git 2.34.1) at 2025-09-25 17:28:20 +0000