1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

46 Commits

Author SHA1 Message Date
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
b10b3be01c Spelling.
(This used to be commit 423985ed56)
2002-04-07 23:41:55 +00:00
Andrew Bartlett
657a24f476 Various winbind updates:
- pam_winbind updates from vance, fixing a typo and making some the options
  work properly.

- Extra parinoia in the winbind connection loop

- Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do).

- Fix up configure.in to use the same method for building the test .so
  as the Makefile uses.

Andrew Bartlett
(This used to be commit 8e705dd921)
2002-03-23 08:28:19 +00:00
Tim Potter
ab13654dc9 Renamed get_nt_error_msg() to nt_errstr().
(This used to be commit 1f007d3ed4)
2002-03-17 04:36:35 +00:00
Andrew Bartlett
e91e0a83af Winbind cleanup.
This patch fixes the segfaults I introduced in the previous conneciton caching
patch.  It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.

If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.

There is still a memory leak in here somewhere - but this code also cleans up a
number of these.

Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.

Andrew Bartlett
(This used to be commit 92cbefdf27)
2002-02-15 13:28:59 +00:00
Andrew Bartlett
14e6be4975 A few small winbind updates:
Add a connection cache to the netlogon pipe.  This makes a *massive* difference
to the time-per-auth.  Also fix up *some* of the memory leaks in other
connection caches.

Add some debugging messages for the is_connected() code.  I'm thinking we
should get a client implementation of SMBecho and call it here - as it would
allow us to always know the DC is around before we start.

Down the debug level for some of the pam_winbind code - I'll probably down it
further when I'm finished debugging.

Andrew Bartlett
(This used to be commit 49d3e47666)
2002-02-11 01:29:07 +00:00
Andrew Bartlett
e32177ea9d Fix up some of the DEBUG lines in winbind_pam.c
(This used to be commit dfc8883305)
2002-02-08 06:43:55 +00:00
Andrew Bartlett
ed389ee8dc Drastic impromvents to pam_winbind.
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.

In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.

Added code to wbinfo to display these - makes a big difference in debugging
winbindd.

The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)

Andrew Bartlett
(This used to be commit dc1a72f896)
2002-02-05 09:40:36 +00:00
Tim Potter
12b7f600a0 Removed unused variables.
(This used to be commit 703d06fee0)
2002-01-31 11:54:01 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Tim Potter
62ea16ae36 Fix for password change from Samuel Ziegler <sam@xpedion.com>
(This used to be commit 418bdd5919)
2002-01-30 03:23:40 +00:00
Andrew Bartlett
1fb9ccc4e2 This is the 'winbind default domain' patch from Alexander Bokovoy
<a.bokovoy@sam-solutions.net>.

The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.

This 'corrects' that - but is not without its own problems.

As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.

The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.

I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.

As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.

(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)

Andrew Bartlett
(This used to be commit 07a21fcd23)
2002-01-18 02:37:55 +00:00
Andrew Bartlett
d76478f0a7 Initialise cli variables and try not to do a cli_shutdown() of uninitialsed
memory.

The winbind connection caching code isn't exactly a plesent beast, and there is
more work that needs to be done to nail this properly.

Andrew Bartlett
(This used to be commit dd40ce54b7)
2002-01-14 22:08:47 +00:00
Andrew Bartlett
e895b9004e Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>.
This work was sponsored by Optifacio Software Services, Inc.

Andrew Bartlett

(various e-mails announcements merged into some form of commit message below:)

This patch which adds basics of universal groups support
into Samba 3. Currently, only Winbind with RPC calls supports this, ADS
support requires additional (possibly huge) work on KRB5 PAC. However,
basic infrastructure is here.

This patch adds:

1. Storing of universal groups for particular user logged into Samba
software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array
of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb.

2. Fetching of unversal groups for given user rid and domain sid from
netlogon_unigrp.tdb.

Since this is used in both smbd and winbindd, main code is in
source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as
UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ.

This patch has had a few versions, the final version in particular:

Many thanks to Andrew Bartlett for critics and comments, and partly
rewritten code.

New:
- updated fetching code to changed byte order macros
- moved functions to proper namespace
- optimized memory usage by reusing caller's memory context
- enhanced code to more follow Samba coding rules

Todo:
- proper universal group expiration after timeout
(This used to be commit 80c2aefbe7)
2002-01-12 23:57:10 +00:00
Andrew Bartlett
cf00e41421 This changes the winbind protcol a bit:
It adds a 'ping' request, just to check winbind is in fact alive

It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.

(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)

Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).

Andrew Bartlett
(This used to be commit 6df29bfe33)
2002-01-10 10:23:54 +00:00
Andrew Bartlett
2de935d89f Further rpc_client removal, this time from winbindd.
Also removed the dependency on auth_util.o, which makes things nicer.

Finally, this kills off the NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ
makefile variable - becouse Samba dependencies are starting to be sane again!

Andrew Bartlett
(This used to be commit 4609edcac3)
2002-01-01 04:50:45 +00:00
Andrew Tridgell
dd0b65a91c added some comments
(This used to be commit 5ab2c8b821)
2001-12-10 01:05:50 +00:00
Jeremy Allison
f8abe6eba4 Fixed parse_domain_user to be bool.
Jeremy.
(This used to be commit 9563de2ef8)
2001-12-05 04:17:39 +00:00
Andrew Bartlett
d0a2faf78d This is another rather major change to the samba authenticaion
subystem.

The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.

This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality.  While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.

This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists.  It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.

Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.

While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.

The following parameters have changed:
 - use rhosts =

  This has been replaced by the 'rhosts' authentication method,
 and can be specified like 'auth methods = guest rhosts'

 - hosts equiv =

  This needs both this parameter and an 'auth methods' entry
  to be effective.  (auth methods = guest hostsequiv ....)

 - plaintext to smbpasswd =

  This is replaced by specifying 'sam' rather than 'local'
  in the auth methods.

The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.

The available auth methods are:

guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)


Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.

Andrew Bartlett
(This used to be commit 8d31eae52a)
2001-11-24 12:12:38 +00:00
Tim Potter
3400a3a3ed Got rid of that stupid parse_domain_user() warning when compiling
winbindd.
(This used to be commit 72060a6f5a)
2001-11-23 04:37:41 +00:00
Tim Potter
5788899a48 Fixed check machine account function.
(This used to be commit 8f01a8b078)
2001-11-23 00:14:04 +00:00
Tim Potter
93fb9f76e2 Use cli_nt_login_network() instead of domain_client_validate() to perform
pam authentication.  This allows us to link in less other crap.

Authenticating with a challenge/response doesn't seem to work though - we
always get back NT_STATUS_WRONG_PASSWORD.
(This used to be commit d85aa1ce83)
2001-11-05 00:21:17 +00:00
Tim Potter
f7cf10b6d8 Removed unneeded extern.
(This used to be commit c80641b6f3)
2001-10-31 12:45:50 +00:00
Andrew Bartlett
60f0627afb This is a farily large patch (3300 lines) and reworks most of the AuthRewrite
code.

In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.

Major Changes:
	- Fully malloc'ed structures.
	  - Massive rework of the code so that all structures are made and destroyed
	    using malloc and free, rather than hanging around on the stack.
	- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
	   to be declared 'invalid' without the chance that people might get ROOT by
	   default.

	- kill off some of the "DOMAIN\user" lookups.  These can be readded at a more
	  appropriate place (probably domain_client_validate.c) in the future. They
	  don't belong in session setups.

	- Massive introduction of DATA_BLOB structures, particularly for passwords.

	- Use NTLMSSP flags to tell the backend what its getting, rather than magic
	  lenghths.

	- Fix winbind back up again, but tpot is redoing this soon anyway.

	- Abstract much of the work in srv_netlog_nt back into auth helper functions.

This is a LARGE change, and any assistance is testing it is appriciated.

Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.

Needs testing with a wide variety of MS clients.

Andrew Bartlett
(This used to be commit f70fb819b2)
2001-10-31 10:46:25 +00:00
Tim Potter
6f0b8a38ec Added some extra fields to the auth_serversupplied_info structure.
To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.

This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
(This used to be commit 4eeb7bcd78)
2001-10-31 06:20:58 +00:00
Tim Potter
482a9ef278 This is the start of a bit of a rewrite of winbindd's connection handling.
I've wrapped up all the decisions about managing, making and closing
connections into a connection manager in nsswitch/winbindd_cm.c.

It's rather incomplete at the moment - only querying basic user info works
at the moment (i.e finger -m DOMAIN/user) and everything else is broken.

Jeremy, please take a look and I'll start moving across the rest of
winbindd to this new system.
(This used to be commit c369cf5af7)
2001-10-05 00:20:06 +00:00
Tim Potter
b800a36b1c Some patches to authentication:
- the usersupplied_info now contains a smb_username (as it comes across on
   the wire) and a unix_username (after being passed through mapping
   functions)

 - when doing security={server,domain} use the smb_username, otherwise use
   the unix_username
(This used to be commit d34fd8ec07)
2001-09-12 06:39:50 +00:00
Andrew Tridgell
7844aa868b more warning fixes on solaris
(This used to be commit c04c67fec8)
2001-09-05 08:11:17 +00:00
Andrew Tridgell
19fea3242c the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work
(This used to be commit dcd6e735f7)
2001-09-04 07:13:01 +00:00
Andrew Tridgell
b031af348c converted another bunch of stuff to NTSTATUS
(This used to be commit 1d36250e33)
2001-08-27 19:46:22 +00:00
Tim Potter
31b6b7aecd Make domain_client_validate return a status code instead of a boolean.
(This used to be commit b4e79ab34b)
2001-08-24 19:09:37 +00:00
Tim Potter
9168c29a03 Added copyright for me and AB.
(This used to be commit 19cd6a1dc4)
2001-08-23 02:55:42 +00:00
Tim Potter
b0f167cdf2 Added another authentication interface to winbindd. The Challenge Response
Authentication Protocol (CRAP) takes a tuple of (username, random
challenge, encrypted lm password, encrypted nt password) where the
passwords are encrypted with the random challenge ala ntlmssp.
(This used to be commit 11f72a78e3)
2001-08-22 02:48:16 +00:00
Andrew Bartlett
6ad80352dd This patch does a number of things, mostly smaller than they look :-)
In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better.  (This may need some work)

The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.

Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.

Andrew Bartlett
(This used to be commit ea1c547ac8)
2001-08-12 11:19:57 +00:00
Andrew Bartlett
986372901e This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.

The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards.  The
interface currently implemented in as

nt_status = check_password(user_info, server_info)

where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.

The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.

This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing.  We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.

Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree.  (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f3)
2001-08-03 13:09:23 +00:00
Andrew Tridgell
e8c2eeb0d8 the nss and pam modules in winbind don't have strchr_m() yet, so use
strchr() for the moment
(This used to be commit c2c1f2027e)
2001-07-18 21:50:20 +00:00
Andrew Tridgell
527e824293 strchr and strrchr are macros when compiling with optimisation in gcc, so we can't redefine them. damn.
(This used to be commit c41fc06376)
2001-07-04 07:36:09 +00:00
Tim Potter
24dd11dd69 Added comment about possible optimisation to winbindd_pam_auth()
(This used to be commit bb01d2151c)
2001-06-07 04:35:01 +00:00
Tim Potter
2d27d8c720 Fixes to get pam_auth() functionality working again.
(This used to be commit 083b74c743)
2001-05-17 06:08:49 +00:00
Tim Potter
a36f9250e7 Preliminary merge of winbind into HEAD. Note that this compiles and links
but I haven't actually run it yet so it probably doesn't work.  (-:
(This used to be commit 59f95416b6)
2001-05-07 04:32:40 +00:00
Jeremy Allison
f9a15ce1a6 Got "medieval on our ass" about adding the -1 to slprintf.
Jeremy.
(This used to be commit 94747b4639)
2001-04-08 20:22:39 +00:00
Andrew Tridgell
988810879e moved secrets handling into secrets.c
(This used to be commit e49550b975)
2000-06-03 06:16:11 +00:00
Andrew Tridgell
7738941ccf use "winbind separator" in tng as well
(This used to be commit 0189af5442)
2000-05-12 06:27:34 +00:00
Andrew Tridgell
32cb0660d2 brought the winbindd code into head
this does not yet compile, but I'm working on that.
(This used to be commit 3fb862531a)
2000-05-09 11:43:00 +00:00