summaryrefslogtreecommitdiffstats
path: root/source4/auth/ntlm
Commit message (Collapse)AuthorAgeFilesLines
* added a uid_wrapper libraryAndrew Tridgell2009-08-051-1/+1
| | | | | | | | | | | | | | | | | | | | This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling
* s4:kerberos Add support for user principal names in certificatesAndrew Bartlett2009-07-281-1/+1
| | | | | | | | | | | | | | This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
* s4 auth_winbind: Internally, info3 has utf8 buffers, not utf16 buffers.Kai Blin2009-06-251-63/+16
| | | | Thanks to gd for the catch.
* s4 auth_winbind: Don't allocate the rids for the info3 structure within the loopKai Blin2009-06-251-4/+4
|
* s4: Add libwbclient backend to auth_winbindKai Blin2009-06-252-1/+216
|
* s4:kdc Allow a password change when the password is expiredAndrew Bartlett2009-06-181-1/+1
| | | | | | | | | | | | | | This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
* changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell2009-06-041-28/+19
| | | | | | | | | | | | | | | | | | Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
* Don't use crossRef records to find our own domainAndrew Bartlett2009-05-261-118/+26
| | | | | | | | A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
* fixed interpretation of ACB_PWNOTREQAndrew Tridgell2009-05-251-14/+0
| | | | | | This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
* Port Samba4 to the new combined libcli/auth functionsAndrew Bartlett2009-04-142-6/+1
| | | | | | | For example, some of the new shared functionality was previously in the wkssvc torture test. Andrew Bartlett
* Move ntlm_check.h into the common libcli/authAndrew Bartlett2009-04-141-76/+0
|
* Move libcli/auth to the top levelAndrew Bartlett2009-04-141-603/+0
|
* s4: Use same function signature for convert_* as s3.Jelmer Vernooij2009-03-011-1/+1
|
* Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij2009-03-011-1/+1
| | | | consistency with Samba 3.
* Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett2009-02-133-10/+87
| | | | | | | | | This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
* Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett2009-02-131-0/+7
| | | | | | | | | | | When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
* s4:auth/ntlm: fix c++ warningStefan Metzmacher2009-02-051-1/+1
| | | | metze
* s4:auth: move make_server_info_netlogon_validation() function arroundStefan Metzmacher2009-01-211-1/+1
| | | | metze
* s4:lib/tevent: rename structsStefan Metzmacher2008-12-292-5/+5
| | | | | | | | | | | | | | | | | | | | list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
* s4: Always link in auth, as some of the core infrastructure depends on it.Jelmer Vernooij2008-12-221-0/+1
|
* s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher2008-12-041-1/+2
| | | | metze
* Remove another use of global_loadparm.Jelmer Vernooij2008-11-021-0/+1
| | | | | | Eventually, we should move some of these parameters into a separate struct (perhaps into smb_transport_options?), to avoid the long lists of parameters.
* Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij2008-11-021-0/+1
| | | | should in the future only contain some settings required for gensec.
* Remove another use of global_loadparm.Jelmer Vernooij2008-11-021-0/+1
|
* Remove use of lp_*() from ntlm_check.c.Jelmer Vernooij2008-11-013-16/+18
|
* Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij2008-10-241-1/+1
| | | | make them wrappers around convert_string{,talloc}_convenience().
* Eliminate another instance of global_loadparm.Jelmer Vernooij2008-10-241-0/+2
|
* Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij2008-10-241-1/+1
| | | | functions.
* Make sure prototypes are always included, make some functions static andJelmer Vernooij2008-10-203-13/+2
| | | | remove some unused functions.
* Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett2008-10-161-1/+1
| | | | | | | | | | | | | | | | | | | | | This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
* Remove unused variable.Jelmer Vernooij2008-10-151-1/+0
|
* Fix include paths to new location of libutil.Jelmer Vernooij2008-10-112-2/+2
|
* Pass session options around; saves another use of global_loadparm.Jelmer Vernooij2008-09-301-0/+1
|
* Move source4/lib/crypto to lib/crypto.Jelmer Vernooij2008-09-241-1/+1
|
* Always set a session key, even for the 'no password' case.Andrew Bartlett2008-08-081-0/+2
| | | | | | | This is for bug 5664 reported by Tom <hto@arcor.de>. Andrew Bartlett (This used to be commit a106a4ccc435d149072fb884caf95e5517cd4204)
* auth_server: set the workstation nameStefan Metzmacher2008-08-011-0/+4
| | | | | metze (This used to be commit 6d640ee4b84c72f6c2da0ee047c9bac916bf3e57)
* auth_server: fix the logic of server_get_challenge()Stefan Metzmacher2008-08-011-4/+4
| | | | | metze (This used to be commit 699e3cdb52acdf2524347d8c053730306c579dd9)
* auth_server: fix segfault reported by Julien Kerihuel ↵Stefan Metzmacher2008-08-011-1/+1
| | | | | | | <j.kerihuel@openchange.org> metze (This used to be commit c2cc8ef943e8c2e02edb1eb20214de245cc6914c)
* auth: don't force the build of auth_server as shared_moduleStefan Metzmacher2008-06-301-1/+0
| | | | | metze (This used to be commit b5187dd58ccae03e22ba8857c344a2d7d94f13b3)
* Don't regenerate pam_errors.h any more.Andrew Bartlett2008-05-201-2/+0
| | | | | | | Due to the new rules on prototypes, it must be a static header file. Andrew Bartlett (This used to be commit cf60a9b34ec2419b2bc03a37190cb17ad4cf3d5f)
* Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-localAndrew Bartlett2008-05-202-23/+32
|\ | | | | | | | | | | | | | | | | | | Fix config.mk due to changing syntax. Conflicts: source/libcli/config.mk source/nbt_server/config.mk (This used to be commit 6a1c76f29f78183f44dfac6f468c5e728d2cb2cf)
| * Fix a bunch of dependencies.Jelmer Vernooij2008-05-181-1/+1
| | | | | | | | (This used to be commit a63f458462d207d215a6e4ef8e480b0c8daedf6a)
| * Fix a couple (well, little more than that..) of typos.Jelmer Vernooij2008-05-181-2/+2
| | | | | | | | (This used to be commit a6b52119940a900fb0de3864b8bca94e2965cc24)
| * Create prototype headers from Makefile directory, without smb_build in the ↵Jelmer Vernooij2008-05-181-2/+3
| | | | | | | | | | | | middle. (This used to be commit f4a77b96f9c17d853348b70794026e5b9e384942)
| * Use variables for source directory in a couple more places.Jelmer Vernooij2008-05-181-9/+9
|/ | | | (This used to be commit 2860a7db5968c7007522cdb300eba390da929ab8)
* Clean up some git merges gone wrong.Jelmer Vernooij2008-05-101-1/+1
| | | | (This used to be commit 42eb6b33462228467e65a51bbf624c481802b090)
* Merge branch 'v4-0-test' into v4-0-gmake3Jelmer Vernooij2008-05-101-2/+1
| | | | | | | | | Conflicts: source/auth/config.mk source/auth/gensec/config.mk source/torture/smbtorture.c (This used to be commit edfd02e59bba86b977bd60848f57a614691fff7a)
* Tiago Batista posted a patch to fix the build:Tiago Batista2008-05-061-1/+1
| | | | | | | | | Trying to compile the latest git tree, I got some errors "auth/pam_error.h not found" errors, it looks like it moved to auth/ntlm/pam_errors.h. Andrew Bartlett (This used to be commit 95831a015ae076b52256961f771f50dd9b278e33)
* Fix the build after the auth/ -> auth/ntlm/ renameAndrew Bartlett2008-05-056-6/+6
| | | | | | | I need to fix up the header inclusion, but this fixes things for now. Andrew Bartlett (This used to be commit 7c07edb24b31e7dc3e9b836ec4a6680ee2b04276)
* Move NTLM authentication details into auth/ntlmAndrew Bartlett2008-05-0515-0/+3966
This should help clarify the role of the various files around here (done on Jelmer's request). Andrew Bartlett (This used to be commit efa399037511ced8978f2e7661a71aac7a384883)
generated by cgit (git 2.34.1) at 2025-09-03 01:30:35 +0000