summaryrefslogtreecommitdiffstats
path: root/source3/smbd/sesssetup.c
Commit message (Collapse)AuthorAgeFilesLines
* s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett2012-03-041-55/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
* s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett2012-02-171-0/+3
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-smbd Remove unused code now we always have SPNEGO via gensecAndrew Bartlett2012-02-161-5/+2
| | | | | | | | This was previously needed because SPNEGO was only available in the AD DC. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:smbd: inline code in reply_sesssetup_and_X_spnego()Stefan Metzmacher2012-01-311-102/+71
| | | | | | | | | This makes the logic much easier to follow. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jan 31 21:52:45 CET 2012 on sn-devel-104
* s3:smbd: the spnego session setup don't need to copy the in blobStefan Metzmacher2012-01-311-10/+5
| | | | metze
* s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_genericStefan Metzmacher2012-01-311-27/+5
| | | | | | This removes the unused spnego_gen_auth_response() wrapping. metze
* s3:smbd: remove unused code from sesssetup.cStefan Metzmacher2012-01-311-545/+0
| | | | metze
* s3:smbd: remove pending_auth_data logicStefan Metzmacher2012-01-311-267/+0
| | | | | | This is handled by the gensec_spnego module. metze
* s3:smbd: always use the gensec code path in sesssetup.cStefan Metzmacher2012-01-311-67/+32
| | | | | | | The other code pathes are unused, because we always have the spnego gensec module. metze
* s3:smbd: explicitly ask for GENSEC_FEATURE_UNIX_TOKENStefan Metzmacher2012-01-121-0/+3
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 11:22:53 CET 2012 on sn-devel-104
* s3-auth Remove ntlmssp_wrap.h which is no longer requiredAndrew Bartlett2012-01-051-1/+0
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth use gensec directly rather than via auth_generic_stateAndrew Bartlett2012-01-051-27/+27
| | | | | | | | | This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Add TALLOC_CTX * to auth_generic_prepare()Andrew Bartlett2012-01-051-3/+3
| | | | | | | | | This makes the long term owner of this memory more clear. So far only the clear cases have been moved from NULL however. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth remove auth_ntlmssp_start(), call auth_generic_start() directlyAndrew Bartlett2011-12-221-3/+3
| | | | | | | | This makes it clear that this can support more than just NTLMSSP. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()Andrew Bartlett2011-12-221-3/+3
| | | | | | | | | This function handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth rename auth_ntlmssp_state -> auth_generic_stateAndrew Bartlett2011-12-221-3/+3
| | | | | | | | | This structure handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:smbd: pass smbd_server_connection and a snumused function pointer to ↵Stefan Metzmacher2011-12-151-5/+5
| | | | | | reload_services() metze
* s3-ntlmssp Remove auth_ntlmssp_want_feature()Andrew Bartlett2011-10-211-3/+3
| | | | | | | | We now just call the gensec_want_feature() directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-ntlmssp Remove auth_ntlmssp_update wrapperAndrew Bartlett2011-10-211-7/+7
| | | | | | | | We now just call gensec_update directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth remove auth_ntlmssp_session_info()Andrew Bartlett2011-10-211-2/+3
| | | | | | | | Instead, call gensec_session_info() directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* ntlmssp: Move ntlmssp code to auth/ntlmsspAndrew Bartlett2011-10-181-1/+1
| | | | | | | | | This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:smbd: make use of better SMB signing negotiationStefan Metzmacher2011-09-141-0/+18
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Sep 14 09:41:02 CEST 2011 on sn-devel-104
* ntlmssp: Add ntlmssp_blob_matches_magic()Andrew Bartlett2011-08-031-1/+1
| | | | | | | | | This avoids having the same check in 3 different parts of the code Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
* s3-auth rename auth_ntlmssp_steal_session_info()Andrew Bartlett2011-08-031-1/+1
| | | | | | | | There is no longer any theft of memory as the underlying routines now produce a new auth_session_info for this caller, allocating it on the supplied memory context. Andrew Bartlett
* s3-smbd Be consistent with %U subs on guest loginsAndrew Bartlett2011-08-031-1/+1
| | | | | | | The NTLMSSP code always specified "" as the username, and this makes guest logins via the old-style session setup do the same. Andrew Bartlett
* s3-auth use auth_generic_start to get full GENSEC in Samba3 session setupAndrew Bartlett2011-08-031-22/+32
| | | | | | | | | | This tests if the auth_generic_start() hook is available on the auth context during the negprot, and if so it uses auth_generic_start() to hook to GENSEC to handle the full SPNEGO blob. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-smbd clarify behaviour by not passing an OID that will not be usedAndrew Bartlett2011-08-031-1/+1
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-smbd Ensure we do not read past the end of a possible NTLMSSP blobAndrew Bartlett2011-08-031-1/+1
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth set session_info->sanitized_username in create_local_token()Andrew Bartlett2011-08-031-6/+4
| | | | | | | | | | | Rather than passing this value around the callers, and eventually setting it in register_existing_vuid(), we simply pass it to create_local_token(). This also removes the need for auth_ntlmssp_get_username(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-ntlmssp Split auth_ntlmssp_start into two functionsAndrew Bartlett2011-08-031-6/+35
| | | | | | | | | This helps map on to the GENSEC semantics better, and ensures that the full set of desired features are set before the mechanism starts. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the serverAndrew Bartlett2011-08-031-1/+3
| | | | | | | | | | | | This is changed so that the callers ask for the additional flags that they need, starting with no additional flags. This helps to create a proper abstraction layer in ntlmssp_wrap/auth_ntlmssp. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_updateAndrew Bartlett2011-08-031-5/+6
| | | | | | | | This clarifies the lifetime of the returned token. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Move map to guest to directly after the check_password callsAndrew Bartlett2011-08-031-71/+0
| | | | | | | | | This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Remove seperate guest booleanAndrew Bartlett2011-07-201-3/+4
| | | | | | | | | | Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Use the common auth_session_infoAndrew Bartlett2011-07-201-4/+4
| | | | | | | | | | | This patch finally has the same structure being used to describe the authorization data of a user across the whole codebase. This will allow of our session handling to be accomplished with common code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Use guest boolean in auth_user_info_unixAndrew Bartlett2011-07-201-3/+3
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Use struct auth3_session_info outside the auth subsystemAndrew Bartlett2011-07-201-8/+39
| | | | | | | | | | | | | | | This seperation between the structure used inside the auth modules and in the wider codebase allows for a gradual migration from struct auth_serversupplied_info -> struct auth_session_info (from auth.idl) The idea here is that we keep a clear seperation between the structure before and after the local groups, local user lookup and the session key modifications have been processed, as the lack of this seperation has caused issues in the past. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-smbd: Replace client_id in smbd session setup.Andreas Schneider2011-07-041-1/+1
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Pass the remote_address down to user_info.Andreas Schneider2011-07-041-4/+8
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Added remote_address to ntlmssp server.Andreas Schneider2011-07-041-3/+6
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett2011-06-091-1/+1
| | | | | | | | There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
* lib/util Bring procid_str() into lib/util as server_id_string()Andrew Bartlett2011-06-091-1/+1
| | | | | | | This is needed for OpenChange, which prints Samba struct server_id values in debug messages. Andrew Bartlett
* Fix bug #6911 - Kerberos authentication from vista to samba fails when ↵Jeremy Allison2011-05-271-3/+25
| | | | | | | | | | | | | | | | | | | | | | security blob size is greater than 16 kB We were not correctly checking the output of asn1_start_tag(). asn1_start_tag() returns -1 and sets data->has_error if the remaining blob size is too short to contain the tag length. We were checking data->has_error and returning NT_STATUS_OK (to allow the second asn.1 parse to fail in that case). We should not be checking data->has_error in this case, but falling through to the code that already checks the length. Thanks to Jim for reproducing this for me. We don't get bitten by this as we announce a max buffer size of 16k, greater than Windows's 4k, which means that most krb5 spnego packets already fit. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri May 27 02:57:27 CEST 2011 on sn-devel-104
* More simple const fixes.Jeremy Allison2011-05-051-2/+2
|
* s3-tsocket: only include ../lib/tsocket/tsocket.h where needed.Günther Deschner2011-04-291-0/+1
| | | | Guenther
* s3: only include smb profiling where needed.Günther Deschner2011-04-141-0/+1
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Apr 14 01:31:39 CEST 2011 on sn-devel-104
* s3-auth use create_local_token() to transform server_info -> session_infoAndrew Bartlett2011-04-051-39/+25
| | | | | | | | | | | | | | | | | | Before a auth_serversupplied_info struct can be used for authorization, the local groups and privileges must be calculated. create_local_token() now copies the server_info, and then sets the calulated token and unix groups. Soon, it will also transform the result into an expanded struct auth_session_info. Until then, the variable name (server_info vs session_info provides a clue to the developer about what information has been entered in the structure). By moving the calls to create_local_token within the codebase, we remove duplication, and ensure that the session key (where modified) is consistently copied into the new structure. Andrew Bartlett
* s3-auth consolidate create_local_token() into make_server_info_krb5()Andrew Bartlett2011-04-041-19/+1
| | | | | | | This ensures that all callers don't need to each add builtin groups and privileges to the user's token Andrew Bartlett
* s3: Fix Coverity ID 2304: FORWARD_NULLVolker Lendecke2011-03-301-3/+1
|
* s3-messages: make ndr_messaging.h part of messages.h.Günther Deschner2011-03-301-1/+0
| | | | Guenther
generated by cgit (git 2.34.1) at 2024-10-01 06:55:59 +0000