| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
winbindd.
|
| |
|
|
|
|
|
|
| |
winbindd_lookup_sid_by_name. Also if the lookup fails then clobber
the output parameters rather than leaving them looking potentially
valid.
Add doxygen.
|
| |
|
|
| |
pointer itself. (Whatever that is.... ;-)
|
| |
|
|
|
| |
in smbd/process.c where the timezone is reinitialised. Was replaced with
check for a static is_initialised boolean.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
lookupname/lookupsid.
There was a bug in cli_lsa_lookup_name/lookup_sid where NT_STATUS_NONE_MAPPED was
being mapped to NT_STATUS_OK, and also the *wrong* number of entries mapped
was being returned. The correct field is mapped_count, *NOT* num_entries.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
lookup uses password server parameter when looking for PDCs.
Jeremy.
|
| |
|
|
|
|
|
|
| |
be easily added (a one liner) once we know the correct error codes returned
by a W2K DC.
All other winbindd calls should go through a similar transparent caching layer
(and will soon).
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| | |
|
| |
|
|
| |
default, rather than in preprocessor macros.
|
| |
|
|
|
| |
connection caching. Getting ready for back-merge to 2.2.3.
Jeremy.
|
| |
|
|
| |
Now we just keep a record of the open pipes.
|
| |
|
|
| |
loop in winbindd but it didn't work.
|
| |
|
|
| |
Get list of trusted domains if we haven't fetched them yet.
|
| | |
|
| |
|
|
|
|
| |
Cache negative connection attempt lookups.
Fixed loginc bug in connection_ok()
|
| | |
|
| |
|
|
| |
Get list of trusted domains if we haven't fetched them yet.
|
| |
|
|
|
|
| |
Ignore the SIGUSR1 signal before we install a handler for it as glibc (?)
seems to just print out "User defined signal 1" and exit if no handler
is installed.
|
| |
|
|
|
|
| |
Remove unused old file.
Test 42 byte reply to SMBntcreate (W2K does this).
Jeremy.
|
| |
|
|
|
| |
call slprintf within a signal handler.
Jeremy.
|
| |
|
|
|
| |
field.... well, now at least the code is there when it does :-).
Jeremy.
|
| |
|
|
|
|
|
| |
the currently open connections when winbindd receives a USR1 signal.
Hmm - I've just realised this will conflict with the messaging code
but we don't use that yet.
|
| |
|
|
| |
robust.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
| |
requested name does not have a winbind separator character. This
makes the intent explicit. Tim, contact me if this is not what
you indended.
Jeremy.
|
| |
|
|
|
|
|
| |
pam authentication. This allows us to link in less other crap.
Authenticating with a challenge/response doesn't seem to work though - we
always get back NT_STATUS_WRONG_PASSWORD.
|
| |
|
|
|
| |
Got "medieval on our ass" about const warnings (as many as I could :-).
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
code.
In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.
Major Changes:
- Fully malloc'ed structures.
- Massive rework of the code so that all structures are made and destroyed
using malloc and free, rather than hanging around on the stack.
- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
to be declared 'invalid' without the chance that people might get ROOT by
default.
- kill off some of the "DOMAIN\user" lookups. These can be readded at a more
appropriate place (probably domain_client_validate.c) in the future. They
don't belong in session setups.
- Massive introduction of DATA_BLOB structures, particularly for passwords.
- Use NTLMSSP flags to tell the backend what its getting, rather than magic
lenghths.
- Fix winbind back up again, but tpot is redoing this soon anyway.
- Abstract much of the work in srv_netlog_nt back into auth helper functions.
This is a LARGE change, and any assistance is testing it is appriciated.
Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.
Needs testing with a wide variety of MS clients.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.
This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
|
| |
|
|
| |
Volker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
|
| | |
|
| |
|
|
| |
cli_samr_query_userinfo function used to do this.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
as one memory leak that has been there for ages!
Changed the way talloc is used in get{pw,gr}nam routines.
|
| |
|
|
|
|
|
|
| |
per-call basis rather than per-connection.
Had a bit more of a reformatting fest.
Still need to run it through insure and handle downed connections.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Pass domain structure around in cache code rather than the domain name.
Some misc reformatting to make things look prettier.
|
| |
|
|
| |
immediately after the call.
|
