1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

163 Commits

Author SHA1 Message Date
Gerald Carter
377f947930 r7395: * new feature 'map to guest = bad uid' (based on patch from
aruna.prabakar@hp.com).

This re-enables the Samba 2.2 behavior where a user that was
successfully authenticated by a remote DC would be mapped
to the guest account if there was not existing UNIX account
for that user and we could not create one.
(This used to be commit b7455fbf81)
2007-10-10 10:57:08 -05:00
Gerald Carter
cc6df2e9cf r7024: reverting mistaken commit
(This used to be commit c70c5c4ee9)
2007-10-10 10:57:00 -05:00
Gerald Carter
af52df2f1f r7020: fixing printer ace values and getting rid of false compiler warning about unitialized variable
(This used to be commit 3a91b20e4b)
2007-10-10 10:57:00 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Andrew Bartlett
9d0783bf21 r1492: Rework our random number generation system.
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().

For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation.  This removes the 'need_reseed'
parameter from generate_random_buffer().

Andrew Bartlett
(This used to be commit 36741d3cf5)
2007-10-10 10:52:13 -05:00
Andrew Bartlett
6268505496 Patch by emil@disksites.com <Emil Rasamat> to ensure we always always
free() each auth method. (We had relied on the use of talloc() only, despite providing the free() callback)

Andrew Bartlett
(This used to be commit 5872c0e26e)
2003-11-23 00:16:54 +00:00
Andrew Bartlett
fcbfc7ad06 Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
2003-11-22 13:19:38 +00:00
Jeremy Allison
94f59f5492 More tuning from cachegrind. Change most trim_string() calls to trim_char(0,
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b90)
2003-09-05 19:59:55 +00:00
Herb Lewis
aa39cc37da get rid of more compiler warnings
(This used to be commit 398bd14fc6)
2003-08-15 04:42:05 +00:00
Volker Lendecke
f4d4b079e9 Fix memleak
(This used to be commit 228fe54f0d)
2003-07-18 11:36:16 +00:00
Andrew Bartlett
d809ad1d19 PAM should operate on the Unix username, not the NT username (which might not
have the domain\ qualification).

Andrew Bartlett
(This used to be commit 7cfa1e7c4a)
2003-07-05 08:05:06 +00:00
Andrew Bartlett
61116049ca This patch takes the work the jerry did for beta2, and generalises it:
- The 'not implmented' checks are now done by all auth modules
 - the ntdomain/trustdomain/winbind modules are more presise as to
   what domain names they can and cannot handle
 - The become_root() calls are now around the winbind pipe opening only,
   not the entire auth call
 - The unix username is kept seperate from the NT username, removing the
   need for 'clean off the domain\' in parse_net.c
 - All sid->uid translations are now validated with getpwuid() to put a very
   basic stop to logins with 'half deleted' accounts.

Andrew Bartlett
(This used to be commit 85f88191b9)
2003-07-03 14:36:42 +00:00
Gerald Carter
fb5a006c09 fix typos in log messages and comments.
(This used to be commit fd24183ec3)
2003-07-01 05:45:16 +00:00
Gerald Carter
b8723aaa65 Here's the code to make winbindd work on a Samba DC
to handle domain trusts.  Jeremy and I talked about this
and it's going in as working code.  It keeps winbind clean
and solves the trust problem with minimal changes.

To summarize, there are 2 basic cases where the deadlock would
occur.  (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.

o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
  the username includes the 'winbind separator'.

o Case #2 is handled by adding checks in winbindd to return failure
  if we are a DC and the domain matches our own.

This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain').  The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.

Other misc fixes:

  * we need to fix check_ntlm_password() to be able to determine
    if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
    etc...).  I worked around my specific situation, but this needs to be
    fixed.  the winbindd auth module was causing delays.
  * fix named server mutex deadlock between trust domain auth module
    and winbindd looking up a uid
  * make sure SAM_ACCOUNT gets stored in the server_info struct for the
    _net_sam_logon() reply.

Configuration details:

The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.

  * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
  * create domain trusts like normal
  * join winbind on the pdc to the Samba domain using 'net rpc join'
  * add normal parameters to smb.conf for winbind
  * set 'auth method = guest sam winbind'
  * start smbd, nmbd, & winbindd

Problems that remain:

  * join a Windows 2k/XP box to a Samba domain.
  * create a 2-way trust between the Samba domain
    and an NT domain
  * logon to the windows client as a user from theh trusted
    domain
  * try to browse server in the trusted domain (or other
    workstations).  an NT client seems to work ok, but 2k
    and XP either prompt for passwords or fail with errors.

apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9)
2003-06-29 03:39:50 +00:00
Gerald Carter
8a6fc79ad8 add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that
map to guest = bad user works again when "trustdomain" is listed
as last auth method.

Also clean up some more DC location calls.
(This used to be commit 77a5b1032f)
2003-06-28 08:29:42 +00:00
Gerald Carter
7356d558ff fix typo (bug #170)
(This used to be commit d376b67de9)
2003-06-23 18:27:59 +00:00
Andrew Bartlett
6ace723c44 Get 'add user script' working again for Samba 3.0.
I'm still not convinced that sharing the option name with the administrative
code is the best idea, but anyway...

Tested by vl, bug #41.

Andrew Bartlett
(This used to be commit 9d78f064c5)
2003-05-25 23:56:41 +00:00
Simo Sorce
9e9849c0ee add metze's patch for smb_register functions
(This used to be commit 1480c7e8c7)
2003-05-16 06:20:57 +00:00
Jelmer Vernooij
6203409d2e Patch from Luke Howard <lukeh@PADL.COM> that fixes some weird handling of
modules in auth/
(This used to be commit 4b6785a6c0)
2003-05-15 08:47:28 +00:00
Jelmer Vernooij
d2373e7dce Make the version numbers ints (patch from metze)
(This used to be commit dbe36b4c43)
2003-04-30 23:06:44 +00:00
Jelmer Vernooij
17a3acafa8 Use NTSTATUS as return value for smb_register_*() functions and init_module()
function. Patch by metze with some minor modifications.
(This used to be commit bc4b51bcb2)
2003-04-28 17:48:48 +00:00
Andrew Bartlett
59e0836b7f Merge auth changes from HEAD:
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors
 - make auth_winbind load the ntdomain module if winbind isn't there.
 - use new trusted domains cache to determine if the domain is valid.

Andrew Bartlett
(This used to be commit ec8d6524c6)
2003-04-24 11:56:09 +00:00
Jelmer Vernooij
a8c95d79f8 Add support for the new modules system to auth/ (merge from HEAD)
(This used to be commit c7a1de090d)
2003-04-16 12:13:07 +00:00
Andrew Bartlett
395b8937ac Merge from HEAD - doxygen
(This used to be commit 7a2566f2e9)
2003-03-17 22:43:57 +00:00
Andrew Bartlett
1cba0a7579 Merge from HEAD:
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
  - also consequential changes to the NTLMSSP and SPNEGO parsing functions
  - and the client code that uses the same functions
 - Add ntlm_auth, a NTLMSSP authentication interface for use by applications
   like Squid and Apache.
  - also consquential changes to use common code for base64 encode/decode.
 - Winbind changes to support ntlm_auth (I don't want this program to need
   to read smb.conf, instead getting all it's details over the pipe).
 - nmbd changes for fstrcat() instead of fstrcpy().

Andrew Bartlett
(This used to be commit fbb46da79c)
2003-01-28 12:07:02 +00:00
Andrew Bartlett
634c54310c Merge from HEAD - make Samba compile with -Wwrite-strings without additional
warnings.  (Adds a lot of const).

Andrew Bartlett
(This used to be commit 3a7458f947)
2003-01-03 08:28:12 +00:00
Jeremy Allison
ef8bd7c4f7 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6)
2002-12-20 20:21:31 +00:00
Jeremy Allison
39c78bf516 Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.
Jeremy.
(This used to be commit ec4ed45563)
2002-12-11 23:54:40 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
ab13654dc9 Renamed get_nt_error_msg() to nt_errstr().
(This used to be commit 1f007d3ed4)
2002-03-17 04:36:35 +00:00
Andrew Bartlett
81b2d66c97 Allow Samba to trust NT4 Domains.
This commit builds on the auth subsystem to give Samba support for trusting NT4
domains.  It is off by default, but is enabled by adding 'trustdomain' to the
'auth methods' smb.conf paramater.

Tested against NT4 only - there are still some issues with the join code for
Win2k servers (spnego stuff).

The main work TODO involves enumerating the trusted domains (including the RPC
calls to match), and getting winbind to run on the PDC correctly.

Similarly, work remains on getting NT4 to trust Samba domains.

Andrew Bartlett
(This used to be commit ac8c24a9a8)
2002-03-02 08:25:44 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Tim Potter
1f670cfb27 Spelling fixes.
(This used to be commit e67c7c5852)
2002-01-20 22:50:23 +00:00
Andrew Bartlett
2e28f8ff0e I've decided to move the auth code around a bit more...
The auth_authsupplied_info typedef is now just a plain struct - auth_context,
but it has been modified to contain the function pointers to the rest
of the auth subsystem's components.

(Who needs non-static functions anyway?)

In working all this mess out, I fixed a number of memory leaks and moved the
entire auth subsystem over to talloc().

Note that the TALLOC_CTX attached to the auth_context can be rather long-lived,
it is provided for things that are intended to live as long.  (The
global_negprot_auth_context lasts the whole life of the smbd).

I've also adjusted a few things in auth_domain.c, mainly passing the domain as
a paramater to a few functions instead of looking up lp_workgroup().  I'm
hopign to make this entire thing a bit more trusted domains (as PDC) freindly
in the near future.

Other than that, I moved a bit of the code around, hence the rather messy diff.

Andrew Bartlett
(This used to be commit 12f5515f55)
2002-01-05 04:55:41 +00:00
Andrew Bartlett
4a6d1318bd A farily large commit:
- Move rpc_client/cli_trust.c to smbd/change_trust_pw.c
  - It hasn't been used by anything else since smbpasswd lost its -j

 - Add a TALLOC_CTX to the auth subsytem.  These are only valid for the length
   of the calls to the individual modules, if you want a longer context hide it
   in your private data.

   Similarly, all returns (like the server_info) should still be malloced.

 - Move the 'ntdomain' module (security=domain in oldspeak) over to use the new
   libsmb domain logon code.  Also rework much of the code to use some better
   helper functions for the connection - getting us much better error returns
   (the new code is NTSTATUS).

   The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for
   the LUID feilds is sufficient, or if we should do random LUIDs as per the old
   code.

   Similarly, I'll move winbind over to this when I get a chance.

This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in
rpc_client, at least as far as smbd is concerned.

While I've given this a basic rundown, any testing is as always appriciated.

Andrew Bartlett
(This used to be commit d870edce76)
2002-01-01 03:10:32 +00:00
Andrew Bartlett
f6e6c678ad Add a pile of doxygen style comments to various parts of Samba. Many of these
probably will never actually be genearted, but I like the style in any case.

Also fix a segfault in 'net rpc' when the login failed and a small memory leak
on failure in the auth_info.c code.

Andrew Bartlett
(This used to be commit 2efae7cc52)
2001-12-30 10:54:58 +00:00
Andrew Tridgell
9126a40e2c added trusted realm support to ADS authentication
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0)
2001-12-19 09:53:30 +00:00
Andrew Tridgell
40203ea0fc fixed the panics on basicsmb-sharelist on sun1
(This used to be commit 1bd3235744)
2001-11-27 13:29:14 +00:00
Andrew Tridgell
097d466536 fix sense of lp_allow_trusted_domains()
fix a memory leak
(This used to be commit 1421f2fbcb)
2001-11-27 03:25:31 +00:00
Andrew Bartlett
4499007e45 A number of things to clean up the auth subsytem a bit...
We now default encrypt passwords = yes

We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.

(this kills off the 'local' backed.  The sam backend may be renamed in its
place)

The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.

Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.

The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.

Andrew Bartlett
(This used to be commit e89b47f65e)
2001-11-26 06:47:04 +00:00
Tim Potter
178f6a64b2 challange -> challenge
(This used to be commit d6318add27)
2001-11-26 04:05:28 +00:00
Andrew Bartlett
d0a2faf78d This is another rather major change to the samba authenticaion
subystem.

The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.

This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality.  While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.

This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists.  It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.

Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.

While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.

The following parameters have changed:
 - use rhosts =

  This has been replaced by the 'rhosts' authentication method,
 and can be specified like 'auth methods = guest rhosts'

 - hosts equiv =

  This needs both this parameter and an 'auth methods' entry
  to be effective.  (auth methods = guest hostsequiv ....)

 - plaintext to smbpasswd =

  This is replaced by specifying 'sam' rather than 'local'
  in the auth methods.

The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.

The available auth methods are:

guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)


Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.

Andrew Bartlett
(This used to be commit 8d31eae52a)
2001-11-24 12:12:38 +00:00
Andrew Bartlett
e903a34b2e Minor updates. A small dose of const.
(This used to be commit 80667cb0dd)
2001-11-11 11:00:38 +00:00
Andrew Bartlett
55dfb66079 Change to guest logon code.
This changes the way we process guest logons - we now treat them as normal
logons, but set the 'guest' flag.  In particular this is needed becouse Win2k
will do an NTLMSSP login with username "", therefore missing our previous guest
connection code - this is getting a pain to do as a special case all over the
shop.

Tridge:  We don't seem to be setting a guest bit for NTLMSSP, in either the
anonymous or authenticated case, can you take a look at this?

Also some cleanups in the check_password() code that should make some of the
debugs clearer.

Various other minor cleanups:

 - change the session code to just take a vuser, rather than having to do a
   vuid lookup on vuser.vuid

 - Change some of the global_client_caps linking

 - Better debug in authorise_login(): show the vuid.

Andrew Bartlett
(This used to be commit 62f4e4bd0a)
2001-11-08 22:19:01 +00:00
Andrew Bartlett
60f0627afb This is a farily large patch (3300 lines) and reworks most of the AuthRewrite
code.

In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.

Major Changes:
	- Fully malloc'ed structures.
	  - Massive rework of the code so that all structures are made and destroyed
	    using malloc and free, rather than hanging around on the stack.
	- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
	   to be declared 'invalid' without the chance that people might get ROOT by
	   default.

	- kill off some of the "DOMAIN\user" lookups.  These can be readded at a more
	  appropriate place (probably domain_client_validate.c) in the future. They
	  don't belong in session setups.

	- Massive introduction of DATA_BLOB structures, particularly for passwords.

	- Use NTLMSSP flags to tell the backend what its getting, rather than magic
	  lenghths.

	- Fix winbind back up again, but tpot is redoing this soon anyway.

	- Abstract much of the work in srv_netlog_nt back into auth helper functions.

This is a LARGE change, and any assistance is testing it is appriciated.

Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.

Needs testing with a wide variety of MS clients.

Andrew Bartlett
(This used to be commit f70fb819b2)
2001-10-31 10:46:25 +00:00
Tim Potter
6f0b8a38ec Added some extra fields to the auth_serversupplied_info structure.
To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.

This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
(This used to be commit 4eeb7bcd78)
2001-10-31 06:20:58 +00:00
Tim Potter
dc1fc3ee8e Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.
(This used to be commit 2d0922b0ea)
2001-10-02 04:29:50 +00:00
Andrew Bartlett
81697d5ebe Fix up a number of intertwined issues:
The big one is a global change to allow us to NULLify the free'ed pointer to a
former passdb object.  This was done to allow idra's SAFE_FREE() macro to do
its magic, and to satisfy the input test in pdb_init_sam() for a NULL pointer
to start with.

This NULL pointer test was what was breaking the adding of accounts up until
now, and this code has been reworked to avoid duplicating work - I hope this
will avoid a similar mess-up in future.

Finally, I fixed a few nasty bugs where the pdb_ fuctions's return codes were
being ignored.  Some of these functions malloc() and are permitted to fail.
Also, this caught a nasty bug where pdb_set_lanman_password(sam, NULL) acheived
precisely didilly-squat, just returning False.  Now that we check the returns
this bug was spotted.  This could allow different LM and NT passwords.

 - the pdbedit code needs to start checking these too, but I havn't had a
chance to fix it.

I have also fixed up where some of the password changing code was using the
pdb_set functions to store *internal* data.  I assume this is from a previous
lot of mass conversion work...

Most likally (and going on past experience) I have missed somthing, probably in
the LanMan password change code which I havn't yet been able to test, but this
lot is in much better shape than it was before.

If all this is too much to swallow (particularly for 2.2.2) then just adding a
sam_pass = NULL to the particular line of passdb.c should do the trick for the
ovbious bug.

Andrew Bartlett
(This used to be commit 762c8758a7)
2001-09-29 13:08:26 +00:00
Andrew Bartlett
dec3cbcaf0 Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where
they can have general effect.

Fixed up workstaion support in the rest of samba, so that we can do these
checks.

Pass through the workstation for cli_net_logon(), if supplied.
(This used to be commit 7f04a139b2)
2001-09-16 06:35:35 +00:00
Tim Potter
b800a36b1c Some patches to authentication:
- the usersupplied_info now contains a smb_username (as it comes across on
   the wire) and a unix_username (after being passed through mapping
   functions)

 - when doing security={server,domain} use the smb_username, otherwise use
   the unix_username
(This used to be commit d34fd8ec07)
2001-09-12 06:39:50 +00:00
Andrew Tridgell
19fea3242c the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work
(This used to be commit dcd6e735f7)
2001-09-04 07:13:01 +00:00
Andrew Tridgell
b031af348c converted another bunch of stuff to NTSTATUS
(This used to be commit 1d36250e33)
2001-08-27 19:46:22 +00:00
Andrew Tridgell
ee5f7237de started converting NTSTATUS to be a structure on systems with gcc in order to make it type incompatible with BOOL so we catch errors sooner. This has already found a number of bugs
(This used to be commit 1b778bc7d2)
2001-08-27 17:52:23 +00:00
Herb Lewis
717533483b get rid of compiler warnings
(This used to be commit 0768991d04)
2001-08-24 20:32:01 +00:00
Andrew Bartlett
68525e9021 Add comment to clarify why we call this twice.
(This used to be commit afece03d02)
2001-08-20 22:01:44 +00:00
Andrew Tridgell
f9ce202810 two fixes for NT clients -> share level Samba server
(This used to be commit a25911d58c)
2001-08-20 21:11:55 +00:00
Andrew Bartlett
6ad80352dd This patch does a number of things, mostly smaller than they look :-)
In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better.  (This may need some work)

The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.

Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.

Andrew Bartlett
(This used to be commit ea1c547ac8)
2001-08-12 11:19:57 +00:00
Gerald Carter
f8d3cac8af a few cleanups while mergeing the passdb code into 2.2
(This used to be commit ef01739708)
2001-08-09 15:53:49 +00:00
Andrew Bartlett
ac989cbe07 Record the NT_STATUS constant rather than its number in the logfiles
Fix typo in lmhosts manpage
(This used to be commit 9fff946cf1)
2001-08-06 09:35:08 +00:00
Andrew Bartlett
384b522c92 This is the fix for the PAM bug I probably introduced in the previous commit,
which I will confirm once I can find a box it would break on in the first place.

(this is the pam accounts as nobody thing we had with 2.2.0)

Andrew Bartlett
(This used to be commit 9746ad12bd)
2001-08-03 13:24:38 +00:00
Andrew Bartlett
986372901e This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.

The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards.  The
interface currently implemented in as

nt_status = check_password(user_info, server_info)

where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.

The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.

This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing.  We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.

Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree.  (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f3)
2001-08-03 13:09:23 +00:00