summaryrefslogtreecommitdiffstats
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3/auth map NULL domains to our global sam nameSteven Danneman2009-05-291-9/+3
| | | | | | | | | | | | | | | | This is an addendum to d8c54fdd, which made make_user_info_map() match Windows behavior by mapping untrusted domains given to smbd on the wire with the users credentials to smbd's global sam name. This fix was being circumvented in the case where the client passed a NULL domain. Vista clients do this. In that case smbd was always remapping the name to the machine workgroup. The NULL domain case should also be mapped to the global sam name. Removing the code in this patch, causes us to fall down to the logic added in d8c54fdd and properly map the domain. (cherry picked from commit fbca26923915a70031f561b198cfe2cc0d9c3aa6) (cherry picked from commit 22b9d9d28d9acd68a9bc492530fcd0a565ff0aa3)
* Fix a bunch of compiler warnings about wrong format types.Jeremy Allison2009-05-261-5/+5
| | | | | | Should make Solaris 10 builds look cleaner. Jeremy. (cherry picked from commit b5947b876f3c777e075879d305b6672a6c8d8abd)
* s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().Günther Deschner2009-05-261-2/+1
| | | | | Guenther (cherry picked from commit b5097d54cb74ca0ea328f9e029562f65f4a01134)
* Fix bug #6291 - force user stop working.Jeremy Allison2009-05-261-1/+37
| | | | | | | | A previous fix broke the invariant that *uid is always initialized on return from create_token_from_username(). Restore it. Jeremy. (cherry picked from commit e178c02a216fefc8295a7fd2d623c888c81f8734)
* s3-auth: rename static smb_create_user(). Sorry...Günther Deschner2009-04-151-2/+2
| | | | | | Guenther (cherry picked from commit 01a942d8ab5b5e430eb928dd58626fe16b9b04fe) (cherry picked from commit e67f9c77ce812b40a8e003d861bff64c6c6442fd)
* s3: fix guest auth when winbindd is runningSteven Danneman2009-02-261-7/+7
| | | | | | | | | | | | | | | This fix is very subtle. If a server is configured with "security = share" and "guest ok = yes" and winbindd is running authorization will fail during tree connect. This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid through sid_to_uid(). Winbindd is unaware of the hard coded mapping between this sid and whatever uid the name in lp_guestaccount() is assigned. So sid_to_uid() fails and we exit create_token_from_username() without ever calling pdb_getsampwsid() which IS aware of the hard coded mapping. This patch just reorganizes the code, moving sid_to_uid() down to the block of code in which it is needed, avoiding this early failure.
* s3: Fix 'assignment differ in signedness' warningTim Prouty2009-02-251-1/+1
|
* s3: Rename auth_onefs_wb and pdb_onefs_samDan Sledz2009-02-241-7/+23
| | | | | | | auth_onefs_wb.c -> auth_wbc.c pdb_onefs_sam.c -> pdb_wbc_sam.c No changes to functionality
* Revert "s3 auth: Add parameter that forces every user through an NSS lookup"Tim Prouty2009-02-211-22/+4
| | | | | | | | After the discussion on samba-technical, it was decided that the best answer for now was to revert this change. The right way to do this is to rewrite the token api to use opaque tokens with pluggable modules. This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.
* Fix the build on SolarisVolker Lendecke2009-02-211-1/+1
|
* Fix some nonempty blank linesVolker Lendecke2009-02-211-31/+31
|
* Remove the static "chal" from ntlmssp.c:get_challenge()Volker Lendecke2009-02-213-10/+15
|
* Introduce a new authentication backend auth_onefs_wbDan Sledz2009-02-201-0/+134
| | | | | | | This new backend is custom tailored to onefs' unique requirements: 1) No fallback logic 2) Does not validate the domain of the user 3) Handles unencrypted passwords
* s3 auth: Add parameter that forces every user through an NSS lookupZach Loafman2009-02-161-4/+22
| | | | | | When set to yes, "force username map" forces every user, even AD users, through an NSS lookup. This allows the token to be overridden with information from NSS in certain broken environments.
* s3:auth: only create_local_token() should add S-1-22-X-Y sidsStefan Metzmacher2009-02-131-27/+0
| | | | metze
* s3:auth: add S-1-22-X-Y sids to the local tokenStefan Metzmacher2009-02-131-0/+38
| | | | metze
* s3: Added new parameter "map untrusted to domain"Steven Danneman2009-02-121-4/+8
| | | | | | | When enabled this reverts smbd to the legacy domain remapping behavior when a user provides an untrusted domain This partially reverts d8c54fdd
* s3: Change behavior when seeing an unknown domain.Dan Sledz2009-02-111-22/+35
| | | | | | | After a lot of testing against various Windows servers (W2K, W2K3, W2K8), within an AD domain it seems that unknown domains will only be translated to the local account domain, not the netbios name of the member server's domain. This makes samba act more like Windows.
* Fix double free caused by incorrect talloc_steal usage.Dan Sledz2009-02-111-2/+2
|
* S3: Fixes for coverity issues.todd stecher2009-02-101-2/+2
|
* Fix some nonempty blank linesVolker Lendecke2009-02-101-9/+9
|
* Fix a valgrind error: rpc_bind talloc_move()s the auth structVolker Lendecke2009-02-041-2/+0
|
* Ensure null termination of the password in mymachinepw, remove a debugVolker Lendecke2009-02-041-3/+1
|
* Memory leaks and other fixes found by Coveritytodd stecher2009-01-211-1/+3
|
* Fix a typoVolker Lendecke2009-01-211-1/+1
|
* Fix some nonempty blank linesVolker Lendecke2009-01-201-9/+9
|
* Make cli_negprot return NTSTATUS instead of boolVolker Lendecke2008-12-191-3/+6
|
* Fix bug #1254 - write list not working under share-level securityJeremy Allison2008-12-041-1/+1
| | | | | | | | A somewhat more elegant fix than I could use for 3.2.x or 3.0.x. Turns out the only part of check_user_ok() that needs to change for share level security is the VUID cache pieces, so I can just always use check_user_ok() for all lp_security() cases. Jeremy
* Make memcache_add_talloc NULL out the source pointerVolker Lendecke2008-11-141-2/+4
| | | | | | This is an orthogonality measure to make clear this pointer now belongs to the cache. (cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
* Make us clean under valgrind --leak-check=full by using ↵Jeremy Allison2008-11-061-1/+1
| | | | | | | | | | talloc_autofree_context() instead of NULL. Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should be deleted when their parent context is deleted, so freeing them at some arbitrary point later will be a double-free. Jeremy.
* Add wrapper str_list_make_v3() to replace the old S3 behavior ofJeremy Allison2008-11-061-8/+8
| | | | | | | | str_list_make(). From Dan Sledz <dan.sledz@isilon.com>: In samba 3.2 passing NULL or an empty string returned NULL. In master, it now returns a list of length 1 with the first string set to NULL (an empty list). Jeremy.
* Use sockaddr_storage only where we rely on the size, use sockaddrJelmer Vernooij2008-10-231-1/+1
| | | | | otherwise (to clarify we can also pass in structs smaller than sockaddr_storage, such as sockaddr_in).
* Add data_blob_string_const_null() function that includes the terminatingJelmer Vernooij2008-10-131-2/+2
| | | | | | null byte and use it in Samba 3. This matches the behaviour prior to my data_blob changes.
* Use common strlist implementation in Samba 3 and Samba 4.Jelmer Vernooij2008-10-121-2/+2
|
* Cope with changed signature of http_timestring().Jelmer Vernooij2008-10-111-1/+1
|
* Add netlogond auth methodVolker Lendecke2008-10-061-0/+321
| | | | | | This authenticates against a local running samba4 using SamLogonEx. We retrieve the machine password using samba4's mymachinepwd script and store the schannel key for re-use in secrets.tdb.
* Simply our main loop processing. A lot :-). Correctly use events for all the ↵Jeremy Allison2008-10-031-0/+65
| | | | | | | | previous "special" cases. A step on the way to adding signals to the events and being able to merge the S3 event system with the S4 one. Jeremy.
* Revert "Split lookup_name() and create a new functiong called"Simo Sorce2008-09-032-7/+17
| | | | | This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
* Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce2008-08-261-2/+3
|\ | | | | | | (This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
| * auth: Fix build warning.Günther Deschner2008-08-251-2/+3
| | | | | | | | | | Guenther (This used to be commit 4661ef625a6522d6f859b83e3e3702f01d0b952f)
* | Split lookup_name() and create a new functiong calledSimo Sorce2008-08-172-17/+7
|/ | | | | | lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
* Fix show-stopper for 3.2. Smbd depends on group SIDJeremy Allison2008-08-141-0/+34
| | | | | | | | | | | position zero being the primary group sid. Authenicating via winbindd call returned a non-sorted sid list. This fixes is for both a winbindd call and a pac list from an info3 struct. Without this we mess up the primary group associated with created files. Found by Herb. Jeremy. (This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7)
* Make it clear that this is a temporary context byusing a talloc stackframe ↵Jeremy Allison2008-08-141-22/+16
| | | | | | | instead. Jeremy (This used to be commit 7f7dd5e8883e23d7fe3f9cb804905c5b23a5a41c)
* Removed redundant logging from create_builtin_users and ↵Tim Prouty2008-07-301-16/+4
| | | | | | | | create_builtin_administrators The Debug messages in create_builtin_users and create_builtin_users have now been encapsulated in add_sid_to_builtin. (This used to be commit ca153139b1dced07c196aac93dbc9d9428d98124)
* Enabled domain groups to be added to builtin groups at domain join timeTim Prouty2008-07-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Previously this was done at token creation time if the Administrators and Users builtins hadn't been created yet. A major drawback to this approach is that if a customer is joined to a domain and decides they want to join a different domain, the domain groups from this new domain will not be added to the builtins. It would be ideal if these groups could be added exclusively at domain join time, but we can't rely solely on that because there are cases where winbindd must be running to allocate new gids for the builtins. In the future if there is a way to allocate gids for builtins without running winbindd, this code can be removed from create_local_nt_token. - Made create_builtin_users and create_builtin_administrators non-static so they can be called from libnet - Added a new function to libnet_join that will make a best effort to add domain administrators and domain users to BUILTIN\Administrators and BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be running to allocate new gids, but if the builtins already exist, the domain groups will be added even if winbindd is not running. In the case of a failure the error will be logged, but the join will not be failed. - Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing. (This used to be commit e92faf5996cadac480deb60a4f6232eea90b00f6)
* Refactored the code that adds Domain Admins to BUILTIN\Administrators to use ↵Tim Prouty2008-07-301-26/+30
| | | | | | | | | | | | | the new helper functions. - Modified create_builtin_administrators and add_builtin_administrators to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_administrators to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_administrators and handle the new error that can be returned. - Made it more explicit that add_builtin_administrators is only called when winbindd can't be pinged. (This used to be commit f6411ccb4a1530034e481e1c63b6114a93317b29)
* Refactored the code that adds Domain Users to BUILTIN\Users to use the new ↵Tim Prouty2008-07-301-17/+22
| | | | | | | | | | | helper functions. - Modified create_builtin_users to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_users to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_users and handle the new error that can be returned. (This used to be commit 8d75d40b9f6d22bae7430211f8a1fe99051b756c)
* Helper functions to enable domain groups to be added to builtin groups at ↵Tim Prouty2008-07-301-0/+59
| | | | | | | | domain join time Added two new helper functions which wrap the raw pdb alias functions so they can be more conveniently called while adding domain groups to builtin groups. (This used to be commit 668ef314559df40f1b8aa0991539adcd8d35ffe3)
* Fix various build warningsZach Loafman2008-07-221-1/+1
| | | | | | This fixes various build warnings on our platform. I'm sure I haven't caught them all, but it's a start. (This used to be commit 6b73f259cb67d9dda9127907d706f9244a871fa3)
* Refactoring: Change calling conventions for cli_rpc_pipe_open_schannelVolker Lendecke2008-07-201-2/+3
| | | | | Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 1fcfca007f33a2c4e979abf30c2ea0db65bac718)
generated by cgit (git 2.34.1) at 2025-09-02 15:45:02 +0000