1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

153 Commits

Author SHA1 Message Date
Jeremy Allison
e627362622 r17837: Split out the storing of memory cached credentials
from the krb5 ticket renewal code. This allows cached
credentials to be stored for single sign-on via ntlm_auth
for machines in a domain still using NTLM. Also (hopefully)
fixes the reference counting problem with pam_logon/logoff
so multiple logons/logoffs won't lose cached credentials.
This compiles, but I'm intending to test it over the weekend
so don't complain too much :-). I also want it in the tree
so Coverity can scan it for errors. Guenther, check this over
please - I ran through the architecture with Jerry and he's
ok with it, but this is modifying your code a lot.
Jeremy.
(This used to be commit 679eeeb911)
2007-10-10 11:38:53 -05:00
Gerald Carter
975b159490 r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from AD DC
* Merge patches from SLES10 to make sure we talk to the correct
  winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00ab)
2007-10-10 11:38:46 -05:00
Jeremy Allison
4031af7606 r17617: Take Andrew Bartletts excellent advice and don't store
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97)
2007-10-10 11:38:43 -05:00
Jeremy Allison
b41e14abfd r17610: Added the ability for firefox to drive the winbindd
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a1)
2007-10-10 11:38:43 -05:00
Volker Lendecke
0b56ff1ea3 r17605: Some C++ warnings
(This used to be commit 05268d7a73)
2007-10-10 11:38:42 -05:00
Andrew Bartlett
0dc8f720e1 r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain.  This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).

The precalculated blobs do not reveal the plaintext password.

Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b713)
2007-10-10 11:19:17 -05:00
Jeremy Allison
61578c2308 r16610: Subtle one from Klocwork #2076. If multiple flags
are set in a winbindd request it might overwrite existing
state->response.extra_data.data values without freeing.
Jeremy.
(This used to be commit 4e7262c81a)
2007-10-10 11:19:03 -05:00
Günther Deschner
e9b3f293ae r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:
When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.

Guenther
(This used to be commit 5853525f11)
2007-10-10 11:18:56 -05:00
Günther Deschner
4e7e731849 r16473: There is no point in calling set_dc_type_and_flags() before each
pam_auth login (when using kerberos).

Guenther
(This used to be commit 520777f794)
2007-10-10 11:18:55 -05:00
Günther Deschner
9f8adde941 r15983: Honour the krb5 principal name change (of the new ads join code) in the
kerberized winbind pam_auth.

Guenther
(This used to be commit 216125fe13)
2007-10-10 11:17:16 -05:00
Günther Deschner
bb09655e84 r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.
Guenther
(This used to be commit 3f5a2e49c1)
2007-10-10 11:17:16 -05:00
Jeremy Allison
71465a6fbc r15539: Use portable wrapper functions instead of seteuid
directly in winbindd.
Jeremy.
(This used to be commit 2e65fcc9de)
2007-10-10 11:16:56 -05:00
Günther Deschner
f777697508 r15523: Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.

Guenther
(This used to be commit a75dd80c62)
2007-10-10 11:16:55 -05:00
Günther Deschner
af3490061b r15398: Attempt to send the correct warning when a password change was attempted
too early.

Guenther
(This used to be commit 7f64a66d25)
2007-10-10 11:16:40 -05:00
Günther Deschner
5b7ab95fc6 r15396: Cleanup credential caches from winbind's linked list.
Guenther
(This used to be commit 7420b09507)
2007-10-10 11:16:39 -05:00
Günther Deschner
351e749246 r15240: Correctly disallow unauthorized access when logging on with the
kerberized pam_winbind and workstation restrictions are in effect.

The krb5 AS-REQ needs to add the host netbios-name in the address-list.

We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.

Guenther
(This used to be commit 8b2ba11508)
2007-10-10 11:16:29 -05:00
Günther Deschner
66fd215dc7 r15229: Save useless roundtrips in pam_auth (fallback to samlogon) when we know
that the DC is not available.

Guenther
(This used to be commit 77407c0219)
2007-10-10 11:16:29 -05:00
Gerald Carter
8c9eb7631e r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit winbindd server
(This used to be commit a95d11345e)
2007-10-10 11:16:00 -05:00
Günther Deschner
c684ca9b1f r14753: Fix the kerberized pam_auth: As we could have created a new credential
cache with a valid TGT in it but we werent able to get or verify the
service ticket for this local host afterwards and therefor didn't get
the PAC, we need to remove that ccache entirely.

Also remove an ugly pair of (not needed) seteuid calls around the ticket
destroy wrapper.

Guenther
(This used to be commit 25a2fb3896)
2007-10-10 11:15:45 -05:00
Günther Deschner
18909a1dc7 r14674: Further cleanup for cached logins, only dump hashes with DEBUG_PASSWORD.
Guenther
(This used to be commit 24afdda2ae)
2007-10-10 11:15:43 -05:00
Günther Deschner
1d5ab8fd05 r14597: Merge DCERPC_FAULT constants from Samba 4.
Guenther
(This used to be commit 3f195f8248)
2007-10-10 11:15:38 -05:00
Günther Deschner
485a286a65 r14585: Tighten argument list of kerberos_kinit_password again,
kerberos_kinit_password_ext provides access to more options.

Guenther
(This used to be commit afc519530f)
2007-10-10 11:15:38 -05:00
Günther Deschner
85a44aafef r14514: Fixing last commit. Thanks Volker.
Guenther
(This used to be commit 345d2ab5d3)
2007-10-10 11:15:35 -05:00
Günther Deschner
a22d8d987c r14513: Fix winbindd_chauthtok: only fallback when the chgpasswd3 call is not
supported.

Is there a better way to check for the 0x1c010002 status code?

Guenther
(This used to be commit c7268dc9ac)
2007-10-10 11:15:35 -05:00
Günther Deschner
9e7e429c98 r14507: Re-disable accidentially re-enabled paranoia check. This should make
offline logons work again with NT4 and older Samba3 DCs.

Guenther
(This used to be commit 0892077fce)
2007-10-10 11:15:35 -05:00
Günther Deschner
3cbdb090b9 r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain password
policies when requested.

No panic, the flags is uint32 so we are not running out of WBFLAG bits.

Guenther
(This used to be commit 2155bb0535)
2007-10-10 11:15:34 -05:00
Günther Deschner
88ae0a25ba r14493: There is no point in falling back to a samlogon when a krb5login has
failed with a clear error indication. This prevents the bad logon count
beeing increased on the DC.

Guenther
(This used to be commit 5fdddffba5)
2007-10-10 11:15:34 -05:00
Gerald Carter
0ce53f8ba5 r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'

* Add a SID domain to the group mapping enumeration passdb call
  to fix the checks for local and builtin groups.  The SID can be
  NULL if you want the old semantics for internal maintenance.
  I only updated the tdb group mapping code.

* remove any group mapping from the tdb that have a
  gid of -1 for better consistency with pdb_ldap.c.
  The fixes the problem with calling add_group_map() in
  the tdb code for unmapped groups which might have had
  a record present.

* Ensure that we distinguish between groups in the
  BUILTIN and local machine domains via getgrnam()
  Other wise BUILTIN\Administrators & SERVER\Administrators
  would resolve to the same gid.

* Doesn't strip the global_sam_name() from groups in the
  local machine's domain (this is required to work with
  'winbind default domain' code)

Still todo.

* Fix fallback Administrators membership for root and domain Admins
  if nested groups = no or winbindd is not running

* issues with "su - user -c 'groups'" command

* There are a few outstanding issues with BUILTIN\Users that
  Windows apparently tends to assume.  I worked around this
  presently with a manual group mapping but I do not think
  this is a good solution.  So I'll probably add some similar
  as I did for Administrators.
(This used to be commit 612979476a)
2007-10-10 11:15:28 -05:00
Günther Deschner
a8dd32649b r14392: Use KRB5_TGS_NAME.
Guenther
(This used to be commit 4cfd737cc1)
2007-10-10 11:15:28 -05:00
Jeremy Allison
478cd9dd53 r14275: Shut-up coverity false positive (bug #199) by making an assertion
explicit.
Jeremy.
(This used to be commit aeae20a8d9)
2007-10-10 11:15:22 -05:00
Jeremy Allison
1ab0d76f02 r14259: Fix coverity #42. Ensure contact_domain can't be null derefed
in error code path.
Jeremy.
(This used to be commit 9f5fcdd8fb)
2007-10-10 11:15:21 -05:00
Günther Deschner
14e904fe86 r14148: Removing the not very well tested krb5 ticket refresh handling activated
over --with-kcm. No time to look after it for the moment.

Guenther
(This used to be commit 7ec2b31a87)
2007-10-10 11:15:13 -05:00
Volker Lendecke
1d5ed2bde9 r13914: Fix Coverity bug #151.
I think this is actually a false warning, but as I've seen it with high gcc
warning levels, lets fix it :-)

Volker
(This used to be commit 3f671033bc)
2007-10-10 11:10:59 -05:00
Volker Lendecke
0382d3c26b r13895: As agreed upon with gd on the phone, remove WBFLAG_PAM_CONTACT_TRUSTDOM. This
can not work for NTLM auth, where we only have a workstation account for our
own domain. For the PAM Kerberos login we need to find a better way to do
this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf.

Volker
(This used to be commit bf7c608147)
2007-10-10 11:10:59 -05:00
Günther Deschner
8b1d9b7a6d r13720: Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties.

Guenther
(This used to be commit 30f2fdef79)
2007-10-10 11:10:50 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
2007-10-10 11:10:23 -05:00
Günther Deschner
fd5ecef41c r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().
Guenther
(This used to be commit c201e51de3)
2007-10-10 11:10:20 -05:00
Gerald Carter
fb5362c069 r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a)
2007-10-10 11:10:14 -05:00
Günther Deschner
f0ed0440c4 r13492: As noone objected on the mailing-list:
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.

This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.

Guenther
(This used to be commit e6d52c1e9d)
2007-10-10 11:10:06 -05:00
Günther Deschner
e83c7d0141 r13442: Implement samr_chgpasswd_user3 server-side.
Guenther
(This used to be commit f60eddc0a4)
2007-10-10 11:10:03 -05:00
Günther Deschner
2d743ac8f1 r13409: No functional changes, just some DEBUG cleanup.
Guenther
(This used to be commit 286f6fc233)
2007-10-10 11:09:59 -05:00
Günther Deschner
3ad6e4d279 r13377: Fix from Volker: Make offline authentication work with NT4 as well
(handle no ACB_NORMAL flag and save name2sid as early as possible).

Guenther
(This used to be commit a04a5e40b7)
2007-10-10 11:09:57 -05:00
Günther Deschner
9cdab6ddc0 r13375: Match XP behaviour: Don't force 'Administrator' to change an expired
password on logon. (this might be true for all domain admins as well).

Guenther
(This used to be commit 24c6b9fecb)
2007-10-10 11:09:56 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Jeremy Allison
dac44fded7 r13042: Fix for bug #3248 Stefan Burkei <stefan@burkei.de>.
When doing auth_crap authentication use the client
given workstation name not our own.
Jeremy.
(This used to be commit a2bb2e3e81)
2007-10-10 11:06:11 -05:00
Volker Lendecke
28fb5b6f97 r12313: Introduce yet another copy of the string_sub function:
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.

realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.

Volker
(This used to be commit be6c9012da)
2007-10-10 11:05:53 -05:00
Günther Deschner
cf974b8d60 r11851: Display correct error string.
Guenther
(This used to be commit 4d681f560e)
2007-10-10 11:05:30 -05:00
Volker Lendecke
e6296083c2 r11667: Fix a debug message
(This used to be commit d1f506fa13)
2007-10-10 11:05:24 -05:00
Gerald Carter
a4d729bdfa r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.
Also remove the mem_ctx from the netsamlogon_cache_store() API.

Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d282)
2007-10-10 11:05:23 -05:00
Gerald Carter
ce0a1fa159 r11652: Reinstate the netsamlogon_cache in order to work
around failed query_user calls.  This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.

As per comments on samba-technical, I still need to add

(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away

Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b)
2007-10-10 11:05:23 -05:00