sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
a105595697
samba-mirror/source4/auth/auth.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

217 lines
7.9 KiB
C
Raw Normal View History

Strip trailing spaces
2010-01-12 19:05:16 +03:00
/*
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
Unix SMB/CIFS implementation.
Standardised Authentication types
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
Copyright (C) Andrew Bartlett 2001
Copyright (C) Stefan Metzmacher 2005
Strip trailing spaces
2010-01-12 19:05:16 +03:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
the Free Software Foundation; either version 3 of the License, or
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
(at your option) any later version.
Strip trailing spaces
2010-01-12 19:05:16 +03:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Strip trailing spaces
2010-01-12 19:05:16 +03:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
*/
- port AUTH and PASSDB subsystems to new SMB_SUBSYSTEM() scheme - some const fixes in ntvfs metze (This used to be commit af89a78123068767b1d134969c5651a0fd978b0d)
2004-02-03 14:10:56 +03:00
#ifndef _SAMBA_AUTH_H
#define _SAMBA_AUTH_H
Heimdal provides Kerberos PAC parsing routines. Use them. This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
2008-08-28 10:28:47 +04:00
#include "librpc/gen_ndr/ndr_krb5pac.h"
s4-auth Add auth.idl to encode auth subsystem structures in IDL This is not only a useful way to encode stuff, it also allows python to handle the structures, and natrually allows them to be NDR encoded. Andrew Bartlett
2011-02-08 08:39:34 +03:00
#include "librpc/gen_ndr/auth.h"
s4:auth Move struct auth_usersupplied_info to a common location This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
2010-05-04 10:44:08 +04:00
#include "../auth/common_auth.h"
Heimdal provides Kerberos PAC parsing routines. Use them. This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
2008-08-28 10:28:47 +04:00
s4:kdc Rework KDC to pull in less attributes for krbtgt lookups Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-07-16 11:37:36 +04:00
extern const char *krbtgt_attrs[];
extern const char *server_attrs[];
r24061: Anther part of bug #4823, which is that until now Samba4 didn't parse the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
2007-07-27 10:31:12 +04:00
extern const char *user_attrs[];
r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2006-11-07 03:48:36 +03:00
union netr_Validation;
r19614: fix compiler warnings metze (This used to be commit 1ca8651a59e95eeca2942e5e66c2141e3f65dd9f)
2006-11-07 15:42:51 +03:00
struct netr_SamBaseInfo;
struct netr_SamInfo3;
r26221: Add loadparm_context parameter to auth_context_create. (This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972)
2007-12-02 18:20:18 +03:00
struct loadparm_context;
r3453: - split out the auth and popt includes - tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2004-11-02 05:57:18 +03:00
- port AUTH and PASSDB subsystems to new SMB_SUBSYSTEM() scheme - some const fixes in ntvfs metze (This used to be commit af89a78123068767b1d134969c5651a0fd978b0d)
2004-02-03 14:10:56 +03:00
/* modules can use the following to determine if the interface has changed
* please increment the version number after each interface change
* with a comment and maybe update struct auth_critical_sizes.
*/
/* version 1 - version from samba 3.0 - metze */
/* version 2 - initial samba4 version - metze */
r443: Update Samba4 to the auth and NTLMSSP code from Samba3. Not all the auth code is merged - only those parts that are actually being used in Samba4. There is a lot more work to do in the NTLMSSP area, and I hope to develop that work here. There is a start on this here - splitting NTLMSSP into two parts that my operate in an async fashion (before and after the actual authentication) Andrew Bartlett (This used to be commit 5876c78806e6a6c44613a1354e8d564b427d0c9f)
2004-05-02 12:45:00 +04:00
/* version 3 - subsequent samba4 version - abartlet */
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
/* version 4 - subsequent samba4 version - metze */
r17270: split the logic of saying this auth backend wants to handle this request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)
2006-07-27 15:24:18 +04:00
/* version 0 - till samba4 is stable - metze */
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
#define AUTH4_INTERFACE_VERSION 0
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
struct auth_method_context;
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
struct auth4_context;
s4:auth Change auth_generate_session_info to take an auth context The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-13 06:00:06 +04:00
struct auth_session_info;
s4:auth Allow the operational module to get a user's tokenGroups from auth This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-04-15 05:58:05 +04:00
struct ldb_dn;
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-28 10:48:45 +04:00
struct smb_krb5_context;
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
struct auth_operations {
const char *name;
ntlmssp over rpc over tcp now fully works I needed to hack the ntlmssp code a little, as the auth code in samba4 is out of date relative to the samba3 auth code. I need to do a merge :) (This used to be commit 6ee0935afe9444bf9bb24eed4e02e8377dc746b7)
2003-12-14 13:45:50 +03:00
r17270: split the logic of saying this auth backend wants to handle this request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)
2006-07-27 15:24:18 +04:00
/* Given the user supplied info, check if this backend want to handle the password checking */
NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info);
r6498: Add comments in line with those I already added to 3.0. Please don't re-invent security=server :-) Andrew Bartlett (This used to be commit b3a38e9c8ce9758db31aec53db29290a240868be)
2005-04-27 04:48:39 +04:00
/* Given the user supplied info, check a password */
s4:auth/ntlm: allow auth_operations to specify check_password_send/recv() This prepares real async handling in the backends. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
2017-06-17 01:05:22 +03:00
struct tevent_req *(*check_password_send)(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct auth_method_context *ctx,
const struct auth_usersupplied_info *user_info);
NTSTATUS (*check_password_recv)(struct tevent_req *subreq,
TALLOC_CTX *mem_ctx,
struct auth_user_info_dc **interim_info,
s4:auth: Add audit info parameters to check_password_recv() These pointers can be set by implementing functions in order for them to be logged in auth_check_password_recv(). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-16 01:21:59 +03:00
const struct authn_audit_info **client_audit_info,
const struct authn_audit_info **server_audit_info,
s4:auth/ntlm: allow auth_operations to specify check_password_send/recv() This prepares real async handling in the backends. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
2017-06-17 01:05:22 +03:00
bool *authoritative);
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
};
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
struct auth_method_context {
struct auth_method_context *prev, *next;
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
struct auth4_context *auth_ctx;
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
const struct auth_operations *ops;
int depth;
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
void *private_data;
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 15:55:25 +03:00
};
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
- port AUTH and PASSDB subsystems to new SMB_SUBSYSTEM() scheme - some const fixes in ntvfs metze (This used to be commit af89a78123068767b1d134969c5651a0fd978b0d)
2004-02-03 14:10:56 +03:00
/* this structure is used by backends to determine the size of some critical types */
struct auth_critical_sizes {
int interface_version;
int sizeof_auth_operations;
int sizeof_auth_methods;
int sizeof_auth_context;
int sizeof_auth_usersupplied_info;
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
int sizeof_auth_user_info_dc;
- port AUTH and PASSDB subsystems to new SMB_SUBSYSTEM() scheme - some const fixes in ntvfs metze (This used to be commit af89a78123068767b1d134969c5651a0fd978b0d)
2004-02-03 14:10:56 +03:00
};
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context,
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
enum auth_password_state to_state,
const struct auth_usersupplied_info *user_info_in,
const struct auth_usersupplied_info **user_info_encrypted);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
#include "auth/session.h"
s4-auth Move conversion of security_token to unix_token to auth This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-21 11:06:17 +04:00
#include "auth/unix_token_proto.h"
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
#include "auth/system_session_proto.h"
Fix public header not to include private (not installed) ones. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 18:01:47 +03:00
#include "libcli/security/security.h"
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct ldb_message;
struct ldb_context;
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
struct gensec_security;
s4-auth Move libcli/security/session.c to the top level This code is now useful in common, as the elements of the auth_session_info structure have now been defined in common IDL. Andrew Bartlett
2011-02-10 12:21:11 +03:00
struct cli_credentials;
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8]);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
s4-auth: Use consistant externally-supplied time in auth stack This makes the time during authentication stay consistent in the KDC and follows the fake time when we are testing gMSA accounts. By having the account expiry follow exactly the same clock as the password expiry we can hope for less supprises. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-05-29 05:51:01 +03:00
NTTIME now,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
uint32_t logon_parameters,
Don't use crossRef records to find our own domain A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-26 06:31:39 +04:00
struct ldb_dn *domain_dn,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct ldb_message *msg,
const char *logon_workstation,
s4:kdc: allow a trusted domain to get kerberos tickets metze
2008-12-04 17:09:21 +03:00
const char *name_for_logs,
s4:kdc Allow a password change when the password is expired This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-18 05:08:46 +04:00
bool allow_domain_trust,
bool password_change);
s4-auth: remove unused prototype
2011-05-06 18:49:38 +04:00
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
const char *netbios_name,
Don't use crossRef records to find our own domain A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-05-26 06:31:39 +04:00
const char *domain_name,
s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-01-07 16:55:07 +03:00
const char *dns_domain_name,
Strip trailing spaces
2010-01-12 19:05:16 +03:00
struct ldb_dn *domain_dn,
s4: Add 'const' to some parameters Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-07 04:14:18 +03:00
const struct ldb_message *msg,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
struct auth_user_info_dc **_user_info_dc);
s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-02 01:12:36 +03:00
NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
struct auth_user_info_dc *user_info_dc);
s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 02:18:38 +03:00
NTSTATUS authsam_shallow_copy_user_info_dc(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc_in,
struct auth_user_info_dc **user_info_dc_out);
Strip trailing spaces
2010-01-12 19:05:16 +03:00
NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info) ;
auth: Allow auth_samba4 to be forced to run a specific auth module This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2014-05-16 06:29:43 +04:00
NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods,
s4:lib/tevent: rename structs list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-29 22:24:57 +03:00
struct tevent_context *ev,
s4-messaging Rename messaging -> imessaging This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
2011-05-03 04:40:33 +04:00
struct imessaging_context *msg,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct loadparm_context *lp_ctx,
s4:auth Allow the operational module to get a user's tokenGroups from auth This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-04-15 05:58:05 +04:00
struct ldb_context *sam_ctx,
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
struct auth4_context **auth_ctx);
s4-auth Extend python bindings to allow ldb and message to be specified This will allow for some more tokenGroups tests in future. Andrew Bartlett
2011-01-18 11:13:19 +03:00
const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
Strip trailing spaces
2010-01-12 19:05:16 +03:00
NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
s4:lib/tevent: rename structs list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-29 22:24:57 +03:00
struct tevent_context *ev,
s4-messaging Rename messaging -> imessaging This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
2011-05-03 04:40:33 +04:00
struct imessaging_context *msg,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct loadparm_context *lp_ctx,
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
struct auth4_context **auth_ctx);
auth4: add auth_context_create_for_netlogon() For now it's the same as auth_context_create(), but this will change the in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-17 14:08:59 +03:00
NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
TALLOC_CTX *mem_ctx,
auth: Make check_password and generate_session_info hook generic gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
2012-01-30 04:17:44 +04:00
const struct auth_usersupplied_info *user_info,
auth4: let auth_check_password* return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-17 13:16:36 +03:00
struct auth_user_info_dc **user_info_dc,
uint8_t *pauthoritative);
s4-auth: rename 'auth' subsystem to 'auth4' this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-15 08:30:35 +03:00
NTSTATUS auth4_init(void);
s4: auth: Add TALLOC_CTX * to auth_register() Use the talloc context passed into all modules. Remove one more talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-09 22:39:14 +03:00
NTSTATUS auth_register(TALLOC_CTX *mem_ctx, const struct auth_operations *ops);
lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-20 22:24:43 +03:00
NTSTATUS server_service_auth_init(TALLOC_CTX *ctx);
s4:auth: add authenticate_ldap_simple_bind_send/recv TODO: we need to make the backend async. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 18:05:02 +03:00
struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
bool using_tls,
const char *dn,
const char *password);
NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info);
ldap_server: Move code into authenticate_ldap_simple_bind() This function is only called for simple binds, and by moving the mapping into the function call we allow the unmapped values to be included in the user_info and so logged. We also include the local address and the remote address of the client for future logging Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-02-20 05:57:03 +03:00
NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
auth: Log the transport connection for the authorization We also log if a simple bind was over TLS, as this particular case matters to a lot of folks Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-06 04:10:17 +03:00
bool using_tls,
ldap_server: Move code into authenticate_ldap_simple_bind() This function is only called for simple binds, and by moving the mapping into the function call we allow the unmapped values to be included in the user_info and so logged. We also include the local address and the remote address of the client for future logging Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-02-20 05:57:03 +03:00
const char *dn,
const char *password,
struct auth_session_info **session_info);
s4:auth: change auth_check_password_send/recv to tevent_req metze
2009-12-23 11:09:37 +03:00
struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
struct auth4_context *auth_ctx,
s4:auth: change auth_check_password_send/recv to tevent_req metze
2009-12-23 11:09:37 +03:00
const struct auth_usersupplied_info *user_info);
NTSTATUS auth_check_password_recv(struct tevent_req *req,
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
TALLOC_CTX *mem_ctx,
auth4: let auth_check_password* return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-17 13:16:36 +03:00
struct auth_user_info_dc **user_info_dc,
uint8_t *pauthoritative);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
s4-auth Rename auth -> auth4 to avoid conflict with s3 auth
2011-05-07 10:14:06 +04:00
NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
struct tevent_context *event_ctx,
s4-messaging Rename messaging -> imessaging This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
2011-05-03 04:40:33 +04:00
struct imessaging_context *msg_ctx,
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
struct loadparm_context *lp_ctx,
struct cli_credentials *server_credentials,
const char *target_service,
struct gensec_security **gensec_context);
s4:auth: add samba_server_gensec_krb5_start() This will be used by the dns services to only allow spnego/krb5. This makes sure the accepting backend doesn't require any RPC or IPC communication for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-15 08:17:30 +03:00
NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx,
struct tevent_context *event_ctx,
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
struct cli_credentials *server_credentials,
const char *target_service,
struct gensec_security **gensec_context);
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
r443: Update Samba4 to the auth and NTLMSSP code from Samba3. Not all the auth code is merged - only those parts that are actually being used in Samba4. There is a lot more work to do in the NTLMSSP area, and I hope to develop that work here. There is a start on this here - splitting NTLMSSP into two parts that my operate in an async fashion (before and after the actual authentication) Andrew Bartlett (This used to be commit 5876c78806e6a6c44613a1354e8d564b427d0c9f)
2004-05-02 12:45:00 +04:00
#endif /* _SMBAUTH_H_ */
Copy Permalink