1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

163 Commits

Author SHA1 Message Date
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Volker Lendecke
cdd9d42371 auth3: Apply some const to auth3_context_set_challenge()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-27 13:24:35 +00:00
Volker Lendecke
d145453572 auth3: Make load_auth_module() static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-19 18:18:31 +00:00
Volker Lendecke
8536bf7fce auth: Simplify DEBUG statements in make_auth3_context_for_ntlm()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-19 18:18:31 +00:00
Volker Lendecke
d82acf7685 lib: give global_contexts.c its own header file
It's a bit shocking how many references we have to global
contexts. Make this a bit more obvious.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
59cb155a27 auth: Remove the "typedef auth_methods"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06 01:47:30 +00:00
Volker Lendecke
bcf9444458 auth3: Simplify auth_get_ntlm_challenge()
Use generate_random_buffer() directly on the talloc'ed buffer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06 01:47:30 +00:00
Volker Lendecke
b2f0703493 auth3: Check for talloc failure
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06 01:47:30 +00:00
Noel Power
8ea0835a6c s3/auth: clang: Fix 'Value stored during its initialization is never read'
Fixes:

source3/auth/auth.c:38:35: warning: Value stored to 'entry' during its initialization is never read <--[clang]
        struct auth_init_function_entry *entry = auth_backends;
                                         ^~~~~   ~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:27 +00:00
Gary Lockyer
ae4461dce9 auth auth_log: csbuild unused parm unix_username
Fixes csbuild errors

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’
auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function
‘log_authentication_event_human_readable’
auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-13 07:16:22 +00:00
Gary Lockyer
826d930aa4 s3 auth: Create messaging and lp contexts.
If 'auth event notifications' are enabled create an imessaging_context
and a loadparm_context that can be passed to log_authentication_event.

This will allow the generated authentication messages to be tested.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-02-20 06:03:08 +01:00
Stefan Metzmacher
f3bac8c911 s3:auth_winbind: remove fallback to optional backend
This is not possible anymore, as the trustdomain backend
was removed in commit 75c152c0d7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-12-20 08:41:25 +01:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Stefan Metzmacher
c2480b96b5 s3:auth: rename "guest" methods to "anonymous"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Stefan Metzmacher
584ef261c9 s3:auth: remove lp_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Volker Lendecke
75c152c0d7 auth3: Remove auth_domain
If you're a domain member, use winbind. Auth_domain is from times when we did
not have winbind. It has served its purpose, but we should move on.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 22 00:02:29 CEST 2017 on sn-devel-144
2017-09-22 00:02:29 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Volker Lendecke
56df7cf3d9 auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".

We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
2017-04-10 05:04:03 +02:00
Stefan Metzmacher
45227b301f auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
f23af921df auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Gary Lockyer
8154acfd0d auth: Generate a human readable Authentication log message.
Add a human readable authentication log line, to allow
verification that all required details are being passed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
7609c57922 auth: Add a reminder about the strings currently used for auditing
We will soon have a much better replacement, but a note here may help some in the transition

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Stefan Metzmacher
7f2d30215e auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_subsystem()
"auth methods" never works as AD DC at all, so there's not really a change.

This allows us to implement "auth methods" (temporary) for the auth4 stack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Stefan Metzmacher
800e248dcd auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Stefan Metzmacher
a363a7936c auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()
This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Stefan Metzmacher
65d5f845ed auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
29dc515be9 auth3: make make_auth_context_subsystem() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
0a8aabbd86 auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}
For now they'll all do the same, but that will change in the following commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Volker Lendecke
9e67fd4129 auth3: Remove unused make_auth_context_fixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Volker Lendecke
2a6388cdcf auth3: Introduce auth3_context_set_challenge
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
51056c2cef auth3: Simplify the logic in auth_check_ntlm_password
Move everything but the strict loop logic outside. This makes the
loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks
the loop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
c98614152c auth3: Don't try other auth modules on any error
So far if any kind of error has happened, we just tried further auth
modules. An auth module should have the chance to definitely say "no,
this is a valid error, no further attempts anywhere else". The protocol
so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it
wanted to pass on to other modules, but any error led to the next auth
modules also being given a try.

This patch makes any auth module return code except NOT_IMPLEMENTED to
terminate the loop, such that every module has to explicitly request to
pass on to the next module via NOT_IMPLEMENTED.

All modules we reference in make_auth_context_subsystem() have code to
explicitly say "not for me please" with NOT_IMPLEMENTED.

This *might* break existing setups which fail in for example "guest" or
"winbind" due to other reasons. I prefer it this way though, because
adding another parameter like "This is a real authoritative failure,
don't go looking somewhere else" will only add to the mess.
But it's more a theoretical than a practical change with the
default auth backends.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
1e82d82571 auth3: Introduce make_auth_context_specific
Take a string instead of a string list. Simplifies
make_auth_context_subsystem and later similar callers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
b78de58e57 auth3: Slightly simplify make_auth_context_subsystem() step2
Use "git show -b" to see the simple diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
3fd7707cdf auth3: Slightly simplify make_auth_context_subsystem() step1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
825180bcd2 auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  9 02:01:35 CET 2017 on sn-devel-144
2017-03-09 02:01:35 +01:00
Volker Lendecke
66f94e557e auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b" :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:16 +01:00
Volker Lendecke
56b0303a61 auth3: Simplify auth_check_ntlm_password server_info handling
Instead of directly assigning (*pserver_info), work on a local copy
first and assign it once when successful

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
b19868ce6a auth3: Simplify auth_check_ntlm_password talloc handling
Use talloc_stackframe and talloc_tos. Don't bother to talloc_free
within the loop, we don't have many iterations.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
d31bf0e29d auth3: Use talloc_move instead of _steal
That's the more "modern" way to steal

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
1bbbc152d3 auth3: Centralize auth_check_ntlm_password failure handling
Preparation for simplified talloc handling. Slight behaviour change:
We now ZERO_STRUCTP(pserver_info) in all failure cases.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
68e1a64dc1 auth3: Use NT_STATUS_EQUAL
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-15 02:28:16 +01:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andreas Schneider
4d792db03f s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn@samba.org>

Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-19 11:29:29 +13:00
Garming Sam
63598ff628 param: rename lp function and variable from "encrypted_passwords" to "encrypt_passwords"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
60b6348244 s3-auth: rework default auth methods around the lp_server_role() parameter
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.

Andrew Bartlett
2012-06-15 09:18:33 +02:00