summaryrefslogtreecommitdiffstats
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-113-10/+28
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* smbd: fix creation of BUILTIN\{Administrators,Users} when "tdbsam:map ↵Michael Adam2014-05-191-3/+13
| | | | | | | | | | | | | | | | builtin = false" In this case, passdb/group mapping is not responsible for the id mapping of the builtins, so the check whether the SID maps to a unix ID is not valid for checking whether the builtin has been created as a proper group. So this patch changes the check to whether we find the builtin in the group mapping database. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon May 19 16:41:41 CEST 2014 on sn-devel-104
* auth: Allow auth_samba4 to be forced to run a specific auth moduleAndrew Bartlett2014-05-162-12/+27
| | | | | | | | | | This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-auth: Register ncalrpc_as_system gensec module.Andreas Schneider2014-04-241-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:auth: allow special SYSTEM and ANONYMOUS handling in ↵Stefan Metzmacher2014-04-241-2/+43
| | | | | | | | | | auth3_generate_session_info() auth_ctx->generate_session_info() will be used by the SCHANNEL and NCALRPC_AS_SYSTEM gensec modules in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top levelAndrew Bartlett2014-04-182-192/+0
| | | | | | | | | This allows auth_winbind in source4 to use this more correct conversion routine. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.cAndrew Bartlett2014-04-151-14/+0
| | | | | | | | | | | The comments indicate that this was needed for HP-UX at one point, but the configure code was never ported to WAF. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
* auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.cAndrew Bartlett2014-04-151-20/+0
| | | | | | | | This code is dead since the move to the WAF build system, but was set for HP-UX 9, 10 and 11 in the autoconf build system. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove linux_bigcrypt support from pass_check.cAndrew Bartlett2014-04-151-32/+0
| | | | | | | This is dead code, and probably has been for quite some time. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove support for plaintext auth on systems that use getprpwnam()Andrew Bartlett2014-04-151-10/+0
| | | | | | | | The WAF build does not have the code to detect getprpwnam, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove plaintext OSF1 password supportAndrew Bartlett2014-04-151-64/+0
| | | | | | | | The WAF build does not have the code to detect getprpwnam on which this is based, and so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove afs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-35/+0
| | | | | | | | The waf build does not have code to detect support for AFS plaintext authentication, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove dfs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-315/+0
| | | | | | | | The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove unused PASSWORD_LENTH macro from pass_check.cAndrew Bartlett2014-04-151-6/+0
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove static variable ths_user from password_check() codeAndrew Bartlett2014-04-151-36/+9
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-auth: Do not reset bad password count to 0 if account is disabledAndrew Bartlett2014-04-021-11/+11
| | | | | | Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_securityAndrew Bartlett2014-04-021-4/+6
| | | | | | Change-Id: I43792711543e25c50c29ab5a24d16f614c670cca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Add prototype for plugin function to reduce warnings in auth_samba4Andrew Bartlett2014-04-021-0/+1
| | | | | | Change-Id: I0aa703bb2766f1353a176a0c3f25424bbc4953f5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-auth: Remember to always free the talloc_stackframe() in auth_samba4Andrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I94469de9d463ee90365bae43094231efaf0a7d8c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* auth_samba4: Fix auth_samba4 to correctly provide a messaging context for itselfAndrew Bartlett2014-04-021-16/+9
| | | | | | | | This is done by calling make_auth4_context_s4(), avoiding code duplication. Change-Id: I3a3bf4e4273f27078c308d55102e4a1f4b052d17 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-auth: Finally change make_user_info_*() use a parent talloc contextAndrew Bartlett2014-04-024-34/+40
| | | | | | Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3: smbd: Factor out code that calls getgroups_unix_user() into a separate ↵Jeremy Allison2014-03-251-52/+92
| | | | | | | | | | | | | | | | | | | | | | function. This code needs to special-case the guest user, as this token can have the token_sid[0] set to the Guest SID, not the mapping of UNIX uid -> SID. Other users that may have a well-known SID set in token_sid[0] (like SYSTEM) are usually not mappable to UNIX users and can be ignored when adding local groups from /etc/group. Found by <linux@kukkukk.com>. Second part of the bugfix for: https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT ↵Jeremy Allison2014-03-211-0/+61
| | | | | | | | | | | | | | | token. This has to be done in every code path that creates an NT token, as remote users may have been added to the local /etc/group database. Tokens created merely from the info3 structs (via the DC or via the krb5 PAC) won't have these local groups. https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* s3-auth: Steal the memory to avoid duplication.Andreas Schneider2014-03-131-5/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Do not leak tmp_ctx if make_server_info() fails.Andreas Schneider2014-03-131-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Make is_null_sid() check easier to read.Simo Sorce2014-03-131-2/+3
| | | | | | Signed-off-by: Simo Sorce <idra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.Stefan Metzmacher2014-03-131-0/+1
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: Iabf22753effd80086d7956619a3dae830e487da8 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-on: https://gerrit.samba.org/161
* Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.Garming Sam2014-03-051-2/+8
| | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-11/+44
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-auth: Pass mem_ctx to do_map_to_guest_server_info().Andreas Schneider2014-02-193-11/+16
| | | | | | | | Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
* s3-auth: Pass mem_ctx to auth_check_ntlm_password().Andreas Schneider2014-02-193-24/+40
| | | | | | | | | | Coverity-Id: 1168009 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Signed-off-by: Andreas Schneider <asn@samba.org> Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Pass mem_ctx to make_server_info_sam().Andreas Schneider2014-02-194-28/+47
| | | | | | | | | | Coverity-Id: 1168009 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Signed-off-by: Andreas Schneider <asn@samba.org> Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Make new_server_id_task() static to auth_samba4Volker Lendecke2014-02-121-0/+42
| | | | | | | | This is not used in other parts of source3, so this patch improves modularity and isolation of features. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* param: rename lp function and variable from "encrypted_passwords" to ↵Garming Sam2014-02-071-1/+1
| | | | | | | | "encrypt_passwords" Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: rename lp function and variable from "adduser_script" to ↵Garming Sam2014-02-071-1/+1
| | | | | | | | "add_user_script" Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: rename lp function and variable from 'guestaccount' to 'guest_account'Garming Sam2014-02-073-4/+4
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-auth: Add passwd_to_SamInfo3().Andreas Schneider2014-02-052-73/+36
| | | | | | | | | | | | | | | | | | Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() tries to contact winbind if the user is a domain user to get valid information about it. If winbind isn't running it will try to create everything from the passwd struct. This is not always reliable but works in most cases. It improves the current situation which doesn't talk to winbind at all. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
* s3-auth: Pass talloc context to make_server_info_pw().Andreas Schneider2014-02-054-29/+42
| | | | | | | Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Add passwd_to_SamInfo3().Andreas Schneider2014-02-052-0/+120
| | | | | | | | | | | | | First this function tries to contacts winbind if the user is a domain user to get valid information about it. If winbind isn't running it will try to create everything from the passwd struct. This is not always reliable but works in most cases. It improves the current situation which doesn't talk to winbind at all. Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: make use of rpccli_netlogon_network_logon()Stefan Metzmacher2014-01-071-14/+22
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()Stefan Metzmacher2014-01-071-51/+85
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: simplify connect_to_domain_password_server()Stefan Metzmacher2014-01-071-19/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_samba4: Describe the slightly unusual role of auth_samba4Andrew Bartlett2013-12-161-4/+39
| | | | | | | | Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Dec 16 03:18:00 CET 2013 on sn-devel-104
* s3:auth_domain: remove dead code in check_trustdomain_security()Stefan Metzmacher2013-10-171-22/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: get rid of vars=locals() in source3/auth/wscript_buildMichael Adam2013-09-241-4/+2
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* build: get rid of source-variables in source3/auth/wscript_buildMichael Adam2013-09-241-20/+11
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s3-auth: register schannel gensec module in auth_generic_prepare() as well.Günther Deschner2013-09-191-1/+4
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib: Use "mem_ctx" arg in gencache_getVolker Lendecke2013-09-051-3/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 5 20:09:21 CEST 2013 on sn-devel-104
* lib: Add a "mem_ctx" arg to gencache_get (unused so far)Volker Lendecke2013-09-051-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher2013-08-101-7/+8
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2024-05-30 16:41:43 +0000