1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

66 Commits

Author SHA1 Message Date
Volker Lendecke
4df055bbbb auth3: Avoid an explicit ZERO_STRUCT
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-10-17 19:22:19 +02:00
Stefan Metzmacher
d4ba23fd35 s3/auth: add create_info6_from_pac()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Andreas Schneider
05ebafd91e s3:rpc_client: Clenup copy_netr_SamInfo3() code
This gets rid of some strange macro and makes sure we clenaup at the
end.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 15 22:16:13 CET 2018 on sn-devel-144
2018-01-15 22:16:13 +01:00
Ralph Boehme
158c89068b s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Volker Lendecke
c5b9c58032 lib: Add lib/util_unixsids.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-12-28 20:17:12 +01:00
Stefan Metzmacher
4406cf792a krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
2016-06-30 07:16:45 +02:00
Volker Lendecke
88c4687945 idl: Rename "principle" to "principal_name"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-02 08:42:09 +01:00
Uri Simchoni
d8717a038e auth: consistent handling of well-known alias as primary gid
When a local user has its primary group id mapped to a well-known
alias or a builtin group, smbd accepts logins of such a user, but
fails tree-connects to shares with a "force user" set to this user
with an error of NT_STATUS_INVALID_SID.

This fix causes the connect to succeed and the NT token to resemble
the token that would have been created in a login.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-11-19 20:17:23 +01:00
Uri Simchoni
42b7d48f76 auth: remove a line that has no effect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-11-19 20:17:23 +01:00
Jeremy Allison
83066ed539 s3: auth: Add previously missing allocation fail check.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
60895e62fe s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
Core fix for:

https://bugzilla.samba.org/show_bug.cgi?id=11044

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
d20b2d3972 s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
9395243890 s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
db775c68cc s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
c2411767ad s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Andrew Bartlett
b7b5a1f5bd auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top level
This allows auth_winbind in source4 to use this more correct conversion routine.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-18 20:08:09 +02:00
Simo Sorce
cf73692f96 s3-auth: Make is_null_sid() check easier to read.
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-03-13 15:08:26 +01:00
Andreas Schneider
40e6456b58 s3-auth: Add passwd_to_SamInfo3().
Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
tries to contact winbind if the user is a domain user to get
valid information about it. If winbind isn't running it will try to
create everything from the passwd struct. This is not always reliable
but works in most cases. It improves the current situation which doesn't
talk to winbind at all.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb  5 01:40:38 CET 2014 on sn-devel-104
2014-02-05 01:40:37 +01:00
Andreas Schneider
1bb11c7744 s3-auth: Add passwd_to_SamInfo3().
First this function tries to contacts winbind if the user is a domain
user to get valid information about it. If winbind isn't running it will
try to create everything from the passwd struct. This is not always
reliable but works in most cases. It improves the current situation
which doesn't talk to winbind at all.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-05 11:41:25 +13:00
Stefan Metzmacher
009cf6e9ce s3:auth: wbcAuthenticateEx gives unix times (bug #9625)
We also need to convert last_logon, last_logoff and acct_expiry
from unix time to nt time.

Otherwise a windows member server will reject clients
using CAP_DYNAMIC_REAUTH or smb2) with STATUS_NETWORK_SESSION_EXPIRED,
if the logoff and kickoff time is expired.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb  1 18:42:42 CET 2013 on sn-devel-104
2013-02-01 18:42:42 +01:00
Günther Deschner
f2d9589b17 s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
7f435bd649 s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Alejandro Escanero Blanco
6132cf2a5c s3:auth/server_info: the primary rid should be in the groups rid array (bug #8798)
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed May  9 19:36:01 CEST 2012 on sn-devel-104
2012-05-09 19:36:01 +02:00
Stefan Metzmacher
dab7b0e717 s3:auth: fill the sids array of the info3 in wbcAuthUserInfo_to_netr_SamInfo3() (bug #8739)
Originally, only the rid array was filled and foreign domain sids were omitted.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb  2 12:59:32 CET 2012 on sn-devel-104
2012-02-02 12:59:32 +01:00
Stefan Metzmacher
adbab7710d s3:auth: fix potential gap creation in wbcsids_to_samr_RidWithAttributeArray()
Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-02-02 11:25:08 +01:00
Simo Sorce
8870daeb8d idl: Improve MS-PAC IDL
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24 19:19:28 +02:00
Wilco Baan Hofman
c52b571506 Fix uninitialized memory problem in group_sids_to_info3 (fixes bug #8455).
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Oct 17 23:32:58 CEST 2011 on sn-devel-104
2011-10-17 23:32:58 +02:00
Volker Lendecke
3dcec44f3e s3: Fix bug 8455 -- Samba PDC is looking up only primary user group
group_sids_to_info3 does a sid_peek_check_rid on the domain sid before adding
the rids to the array. If the domain sid is 0x0, then the check will always
fail.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Sep 17 00:51:27 CEST 2011 on sn-devel-104
2011-09-17 00:51:27 +02:00
Andrew Bartlett
d2a661a531 s3-auth Remove pointless destructor in make_server_info
All the callers allocate ->info3 as a talloc child already.

As regardes the TALLOC_ZERO(), I added this originally out of parinoia
many years ago.  We do not consistantly zero session keys in memory,
and for NTLMv2 and Kerberos they are random for each sesssion, so
breaking into smbd far enough to read an old session key isn't a
particularly interesting attack, compared with (say) reading the
keytab or the password database.  (NTLM and LM session keys are fixed
derivitives of the passwords however).

Andrew Bartlett
2011-07-20 09:17:15 +10:00
Andrew Bartlett
15123d96ff s3-auth inline make_auth_session_info into only caller 2011-07-20 09:17:15 +10:00
Andrew Bartlett
9fcc617ff5 s3-auth Use the common auth_session_info
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.

This will allow of our session handling to be accomplished with common code.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
9d96b78f31 s3-auth Remove pointless destructor
All the users of this structure allocate info3 on the session_info

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
6d741e918f s3-auth Use *unix_token rather than utok in struct auth3_session_info
This brings this structure one step closer to the struct auth_session_info.

A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.

NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL.  This patch has not changed this behaviour however.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
d7d8a5ed94 s3-auth Add struct auth3_session_info to aid transition to auth_session info
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.

This commit adds the structure definition and some helper functions to
copy between the two structures.

At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code.  The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.

By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.

By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
ad0a07c531 s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_P isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
ff9b6682a0 s3-auth Rename user_session_key -> session_key to match auth_session_info 2011-04-05 06:32:07 +10:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed.
Guenther
2011-03-30 01:13:09 +02:00
Günther Deschner
2f36ef7225 s3-passdb: add passdb.h where needed.
Guenther
2011-03-30 01:13:07 +02:00
Günther Deschner
d85f140826 s3-winbind: remove global inclusion of libwbclient.
Guenther
2011-03-30 01:13:06 +02:00
Stefan Metzmacher
d7fa349052 s3:auth: change num_groups to from size_t to uint32_t
This will help with the change from UNIX_USER_TOKEN to security_unix_token

metze
2011-02-22 16:20:11 +11:00
Günther Deschner
ac4127a9f4 s3-auth: add copy_netr_SamBaseInfo().
Guenther

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-04 16:57:32 +01:00
Volker Lendecke
c6b5136f02 s3: Fix bug 7066 -- wbcAuthenticateEx gives unix times
We might eventually want to change this, but right now we get unix times
out of the winbind pipe struct
2010-12-19 23:25:06 +01:00
Volker Lendecke
097be4b101 s3: Make proper use of sid_check_is_in_xx routines
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Fri Nov  5 15:35:59 UTC 2010 on sn-devel-104
2010-11-05 15:35:59 +00:00
Volker Lendecke
26b2a132ff s3: Fix a typo 2010-11-05 15:54:05 +01:00
Andreas Schneider
f22e6cf3b7 s3-rpc_server: Make auth_serversupplied_info const. 2010-10-15 11:34:03 +00:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Günther Deschner
102a70e809 s3-util: use shared dom_sid_dup.
Guenther
2010-09-20 14:05:07 -07:00
Günther Deschner
4dbd743e46 s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.
Guenther
2010-09-20 14:04:37 -07:00
Günther Deschner
0f8e032628 s3-netlogon: remove global include of netlogon.h.
This reduces precompiled headers by another 4 MB and also slightly speeds up the
build.

Guenther
2010-08-06 15:46:16 +02:00
Volker Lendecke
032bf5c629 s3: Fix a typo (missing space) 2010-07-24 11:19:42 +02:00