summaryrefslogtreecommitdiffstats
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-113-2/+10
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Allow auth_samba4 to be forced to run a specific auth moduleAndrew Bartlett2014-05-162-2/+2
| | | | | | | | | | This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:auth_winbind: explicitly use dcerpc_binding_handle_set_sync_ev() for irpcAndrew Bartlett2014-05-131-0/+2
| | | | | | | | | | | | This indicates that we're using nested event loops... Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Change-Id: I08f21876d42197f76fe3ae10b4f464626d70bf5a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-283-14/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* s4-auth: Make the auth_winbind_wbclient use more correct code now in ↵Andrew Bartlett2014-04-181-86/+8
| | | | | | | auth/wbc_auth_util.c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.cAndrew Bartlett2014-04-151-5/+0
| | | | | | | | | | | The comments indicate that this was needed for HP-UX at one point, but the configure code was never ported to WAF. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
* auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.cAndrew Bartlett2014-04-151-20/+0
| | | | | | | | This code is dead since the move to the WAF build system, but was set for HP-UX 9, 10 and 11 in the autoconf build system. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove linux_bigcrypt support from pass_check.cAndrew Bartlett2014-04-151-8/+0
| | | | | | | This is dead code, and probably has been for quite some time. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove support for plaintext auth on systems that use getprpwnam()Andrew Bartlett2014-04-151-9/+0
| | | | | | | | The WAF build does not have the code to detect getprpwnam, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove afs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build does not have code to detect support for AFS plaintext authentication, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove dfs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4-auth: Support password history correctly, including allowing NTLM logins ↵Andrew Bartlett2014-04-022-26/+297
| | | | | | | | | | | | | | | using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-100/+0
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out badPwdCount update into a helper functionAndrew Bartlett2014-04-021-48/+79
| | | | | | | | | | This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and ↵Andrew Bartlett2014-04-022-0/+67
| | | | | | | | lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Rework memory handling to use a tmp_ctxAndrew Bartlett2014-04-021-17/+51
| | | | | | Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-022-0/+124
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-9/+1
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-022-5/+5
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/sam: use a higher time resolution in authsam_account_ok()Stefan Metzmacher2014-04-021-2/+2
| | | | | | Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUTAndrew Bartlett2014-04-021-0/+3
| | | | | | Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/gensec: explicitly use allow_warnings=True for gssapi and sasl modulesStefan Metzmacher2014-04-021-0/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/ntlm: add auth4_sam_init() prototype to avoid a warningStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: avoid str_list related const warningsStefan Metzmacher2014-04-022-3/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: fix declaration after code warning in gensec_tstream.cStefan Metzmacher2014-04-021-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: include gensec_krb5_util.h in gensec_krb5_util.cStefan Metzmacher2014-04-021-0/+1
| | | | | | | This avoids missing prototype warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-271-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:pygensec: don't pass an explicit tevent_context to gensec_update()Stefan Metzmacher2014-03-271-9/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.Garming Sam2014-03-051-1/+4
| | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove the remaining uses of the macro NT_STATUS_HAVE_NO_MEMORY_AND_FREE in ↵Garming Sam2014-03-051-14/+28
| | | | | | | | | | | | | the codebase. Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: Id1b540cde127395a7b27385a7c0fe79f3a145c73 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-052-19/+76
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: Remove unused wbc_contextVolker Lendecke2014-03-051-1/+0
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: I07d9f7d8028429564d91da39f8d1e73cc13a646c Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: Do not generate just a temporary wbc_contextVolker Lendecke2014-03-051-10/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: I16e116d7f1fdaf165e1239c10723c51f3828126d Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: auth_session_info_fill_unix only needs a tevent_contextVolker Lendecke2014-03-052-3/+4
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: Id453d68f57bd1dd15aa5778b317d258a6132d3d6 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: security_token_to_unix_token only needs a tevent_contextVolker Lendecke2014-03-051-3/+3
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: I27e5b38fcd3ac899c55c0632ea5d92fad686d9b1 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* source4: Use wbc_sids_to_xidsVolker Lendecke2014-03-051-5/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: I86ea6587c436247ce66207c517f9c8d567ecac1d Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "source4: Use wbc_sids_to_xids"Volker Lendecke2014-02-181-1/+5
| | | | | | | This reverts commit de7122ddc356697777cce95d22b3fab7697b30db. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "auth4: security_token_to_unix_token only needs a tevent_context"Volker Lendecke2014-02-181-3/+3
| | | | | | | This reverts commit 1de725c2926b526200032c4f46132c17533986c7. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "auth4: auth_session_info_fill_unix only needs a tevent_context"Volker Lendecke2014-02-182-4/+3
| | | | | | | This reverts commit 75d7c4609c1c743f84ca9f2d0666aece9e5200d4. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "auth4: Do not generate just a temporary wbc_context"Volker Lendecke2014-02-181-1/+10
| | | | | | | This reverts commit 5124a9e1183de990ca3146cd355152094495a779. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "auth4: Remove unused wbc_context"Volker Lendecke2014-02-181-0/+1
| | | | | | | This reverts commit 6b04558c5e0547a807ac0fcb5eeb1085cfe602ac. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:auth/gensec: only include "librpc/gen_ndr/dcerpc.h"Stefan Metzmacher2014-02-132-2/+2
| | | | | | | We only need some DCERPC_ defines. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth4: Remove unused wbc_contextVolker Lendecke2014-02-101-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* auth4: Do not generate just a temporary wbc_contextVolker Lendecke2014-02-101-10/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* auth4: auth_session_info_fill_unix only needs a tevent_contextVolker Lendecke2014-02-102-3/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* auth4: security_token_to_unix_token only needs a tevent_contextVolker Lendecke2014-02-101-3/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* source4: Use wbc_sids_to_xidsVolker Lendecke2014-02-101-5/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* samba:python - Py_RETURN_NONE remove compatibility code for releases < 2.4Matthias Dieter Wallnöfer2014-01-091-4/+0
| | | | | | | | | http://www.python.org/doc//current/c-api/none.html Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date(master): Thu Jan 9 16:27:47 CET 2014 on sn-devel-104
* s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header ↵Stefan Metzmacher2014-01-071-0/+12
| | | | | | | | | | | | | signing If header signing is requested we should error out instead of silently ignoring it, our peer would hopefully reject it, but we should also do that. TODO: we should implement header signing using gss_wrap_iov(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec_gssapi: handle GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()Stefan Metzmacher2014-01-071-0/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2024-06-22 13:18:37 +0000