1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

70 Commits

Author SHA1 Message Date
Volker Lendecke
59cb155a27 auth: Remove the "typedef auth_methods"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06 01:47:30 +00:00
Stefan Metzmacher
63dc60767e s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144
2018-12-20 12:15:09 +01:00
Stefan Metzmacher
ec3adc1e5b s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-12-20 08:41:25 +01:00
Stefan Metzmacher
f3bac8c911 s3:auth_winbind: remove fallback to optional backend
This is not possible anymore, as the trustdomain backend
was removed in commit 75c152c0d7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-12-20 08:41:25 +01:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Volker Lendecke
9abc80e0e4 auth_winbind3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 03:28:26 +01:00
Andreas Schneider
4b97a19e58 BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
2013-04-24 17:14:48 +02:00
Andrew Bartlett
ad0a07c531 s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_P isn't standard talloc.
2011-06-09 12:40:08 +02:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed.
Guenther
2011-03-30 01:13:09 +02:00
Günther Deschner
d85f140826 s3-winbind: remove global inclusion of libwbclient.
Guenther
2011-03-30 01:13:06 +02:00
Volker Lendecke
9b94f36605 s3: Make sure we call wbcAuthenticateUserEx correctly
There are cases where we fill in params.password.response.lm_data with non-NULL
where params.password.response.lm_length is 0. wbcAuthenticateUserEx does not
like that.

I haven't been able to reproduce this with smbclient yet, I've seen it with a
proprietary smb client implementation.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Jan 17 16:30:11 CET 2011 on sn-devel-104
2011-01-17 16:30:11 +01:00
Volker Lendecke
c83a40ddbf s3: Quieten a bogus error message
This happens if you set "auth methods = winbind" without a fallback method.

The return NT_STATUS_LOGON_FAILURE; is not strictly require here, because we
fall through to the equivalent statement a few lines down, but it makes the
code a bit clearer IMO.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Nov  9 20:15:59 UTC 2010 on sn-devel-104
2010-11-09 20:15:59 +00:00
Andrew Bartlett
23994e1b53 s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.

In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-14 11:58:13 +10:00
Günther Deschner
06417abc7c s3-auth: fix debug message in check_winbind_security().
Guenther
2010-06-16 14:42:23 +02:00
Günther Deschner
185adc4c81 Revert "s4-smbtorture: only pull info when status code indicates success in smbcli_rap_netprintqgetinfo()."
This reverts commit 1f1c04010a.
2010-06-16 12:18:32 +02:00
Günther Deschner
1f1c04010a s4-smbtorture: only pull info when status code indicates success in smbcli_rap_netprintqgetinfo().
Guenther
2010-06-16 12:15:24 +02:00
Andrew Bartlett
fc956cfcbb s3:auth Rename user_info->domain -> user_info->mapped.domain_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
7a021df96d s3:auth Rename user_info->internal_username -> user_info->mapped.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
23159453d3 s3:auth Rename user_info->smb_name -> user_info->client.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
a6e07c22a3 s3:auth Rename wksta_name -> workstation_name in auth_usersupplied_info 2010-06-01 17:11:25 +10:00
Simo Sorce
33c633df0b s3:auth make it easier to trace auth modules 2010-05-29 17:08:10 -04:00
Volker Lendecke
a2d1e5e0f7 s3: Remove the make_auth_methods routine
This was just TALLOC_ZERO_P
2010-04-11 13:53:19 +02:00
Volker Lendecke
e35a2f89b2 s3: Fix some nonempty lines 2010-04-11 13:53:18 +02:00
Volker Lendecke
081573091b s3: Remove the typedef for "auth_serversupplied_info" 2010-01-10 20:56:16 +01:00
Volker Lendecke
9bb4766bba s3: Remove the typedef for "auth_usersupplied_info" 2010-01-10 20:56:16 +01:00
Volker Lendecke
64ddd381b7 Rename server_info->was_mapped to server_info->nss_token
"nss_token" from my point of view much better reflects what this flag actually
represents
(This used to be commit b121a5acb2)
2008-05-07 14:47:29 +02:00
Günther Deschner
5b8591c05f Add debug statement in auth_winbind to display wbcAuthenticateUserEx error code.
Guenther
(This used to be commit 0ad00a452f)
2008-03-26 01:29:56 +01:00
Stefan Metzmacher
b397b5cb8f auth_winbind: use wbcAuthenticateUserEx()
smbd doesn't need $(WBCOMMON_OBJ) anymore,
it works with any libwbclient.so now
and may talk to an older winbindd.

metze
(This used to be commit e3435930a3)
2008-02-13 13:30:16 +01:00
Jeremy Allison
99e349b35d More logical operations on booleans. IBM checker.
Jeremy.
(This used to be commit e289a0c859)
2008-01-04 23:24:15 -08:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Gerald Carter
5b105eaf7c r21940: Sorry Volker, I have to revert your revert in r21935.
We can talk about this later if you still feel that strongly
but I need to fix the build for now.
(This used to be commit c7df0cad82)
2007-10-10 12:18:50 -05:00
Volker Lendecke
719f4657e8 r21935: Revert obviously not sufficiently tested code -- sorry for the pain. I am afraid I was basically off the net for the day
(This used to be commit 08c29abc03)
2007-10-10 12:18:50 -05:00
Volker Lendecke
3fdef9433a r21878: Fix a bug with smbd serving a windows terminal server: If winbind decides smbd
to be idle it might happen that smbd needs to do a winbind operation (for
example sid2name) as non-root. This then fails to get the privileged
pipe. When later on on the same connection another authentication request
comes in, we try to do the CRAP auth via the non-privileged pipe.

This adds a winbindd_priv_request_response() request that kills the existing
winbind pipe connection if it's not privileged.

Volker
(This used to be commit e5741e27c4)
2007-10-10 12:18:42 -05:00
Volker Lendecke
72e9a5d9e6 r18665: Remove two type-punned warnings
(This used to be commit 157b2c0c26)
2007-10-10 12:00:45 -05:00
Volker Lendecke
f852fdbe06 r17626: Some C++ Warnings
(This used to be commit 09e7c010f0)
2007-10-10 11:38:44 -05:00
Volker Lendecke
dc9f30b8b0 r15475: Ugly and disgusting patch to fix the username map problem I created by
changing the token generation. I *hate* this code!

Jerry, you have been looking at this as well, can you double-check that I did
not screw it up?

Thanks,

Volker
(This used to be commit 2765c4ff8d)
2007-10-10 11:16:52 -05:00
Volker Lendecke
83e4ea7e85 r15472: Remove an unused function parameter
(This used to be commit d2f39ae7fe)
2007-10-10 11:16:52 -05:00
Gerald Carter
8c9eb7631e r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit winbindd server
(This used to be commit a95d11345e)
2007-10-10 11:16:00 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Jeremy Allison
fcceedd67c r11573: Adding Andrew Bartlett's patch to make machine account
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef8663)
2007-10-10 11:05:20 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Andrew Bartlett
d5a03878ef r3616: Merge for 3.0.8.
In auth_winbind, remove the push_utf8 calls, as this is no longer a
UTF8 interface.  (Removed from everywhere else earlier).

Tested with ASCII - I tried to load the weird charset for testing, but
it doesn't seem to work any more.

Andrew Bartlett
(This used to be commit cb27c197ee)
2007-10-10 10:53:10 -05:00
Jeremy Allison
8c0db1bbc4 r786: Memory leak fixes in (mostly) error code paths from
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in
mainline code paths though :-).
Jeremy.
(This used to be commit 4695cc95fe)
2007-10-10 10:51:38 -05:00
Gerald Carter
682f20c9ca * add a few useful debug lines
* fix bug involving Win9x clients.  Make sure we
  save the right case for the located username
  in fill_sam_account()
(This used to be commit 850e4be29e)
2003-12-19 00:33:09 +00:00
Gerald Carter
e7f41de758 make sure to call get_user_groups() with the full winbindd name for a user if he;she has one; bug 406
(This used to be commit 1737b36e91)
2003-10-07 16:34:23 +00:00
Herb Lewis
aa39cc37da get rid of more compiler warnings
(This used to be commit 398bd14fc6)
2003-08-15 04:42:05 +00:00
Gerald Carter
0b18acb841 and so it begins....
* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
2003-07-07 05:11:10 +00:00
Andrew Bartlett
61116049ca This patch takes the work the jerry did for beta2, and generalises it:
- The 'not implmented' checks are now done by all auth modules
 - the ntdomain/trustdomain/winbind modules are more presise as to
   what domain names they can and cannot handle
 - The become_root() calls are now around the winbind pipe opening only,
   not the entire auth call
 - The unix username is kept seperate from the NT username, removing the
   need for 'clean off the domain\' in parse_net.c
 - All sid->uid translations are now validated with getpwuid() to put a very
   basic stop to logins with 'half deleted' accounts.

Andrew Bartlett
(This used to be commit 85f88191b9)
2003-07-03 14:36:42 +00:00