1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

121 Commits

Author SHA1 Message Date
Volker Lendecke
1d5ed2bde9 r13914: Fix Coverity bug #151.
I think this is actually a false warning, but as I've seen it with high gcc
warning levels, lets fix it :-)

Volker
(This used to be commit 3f671033bc)
2007-10-10 11:10:59 -05:00
Volker Lendecke
0382d3c26b r13895: As agreed upon with gd on the phone, remove WBFLAG_PAM_CONTACT_TRUSTDOM. This
can not work for NTLM auth, where we only have a workstation account for our
own domain. For the PAM Kerberos login we need to find a better way to do
this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf.

Volker
(This used to be commit bf7c608147)
2007-10-10 11:10:59 -05:00
Günther Deschner
8b1d9b7a6d r13720: Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties.

Guenther
(This used to be commit 30f2fdef79)
2007-10-10 11:10:50 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
2007-10-10 11:10:23 -05:00
Günther Deschner
fd5ecef41c r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().
Guenther
(This used to be commit c201e51de3)
2007-10-10 11:10:20 -05:00
Gerald Carter
fb5362c069 r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a)
2007-10-10 11:10:14 -05:00
Günther Deschner
f0ed0440c4 r13492: As noone objected on the mailing-list:
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.

This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.

Guenther
(This used to be commit e6d52c1e9d)
2007-10-10 11:10:06 -05:00
Günther Deschner
e83c7d0141 r13442: Implement samr_chgpasswd_user3 server-side.
Guenther
(This used to be commit f60eddc0a4)
2007-10-10 11:10:03 -05:00
Günther Deschner
2d743ac8f1 r13409: No functional changes, just some DEBUG cleanup.
Guenther
(This used to be commit 286f6fc233)
2007-10-10 11:09:59 -05:00
Günther Deschner
3ad6e4d279 r13377: Fix from Volker: Make offline authentication work with NT4 as well
(handle no ACB_NORMAL flag and save name2sid as early as possible).

Guenther
(This used to be commit a04a5e40b7)
2007-10-10 11:09:57 -05:00
Günther Deschner
9cdab6ddc0 r13375: Match XP behaviour: Don't force 'Administrator' to change an expired
password on logon. (this might be true for all domain admins as well).

Guenther
(This used to be commit 24c6b9fecb)
2007-10-10 11:09:56 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Jeremy Allison
dac44fded7 r13042: Fix for bug #3248 Stefan Burkei <stefan@burkei.de>.
When doing auth_crap authentication use the client
given workstation name not our own.
Jeremy.
(This used to be commit a2bb2e3e81)
2007-10-10 11:06:11 -05:00
Volker Lendecke
28fb5b6f97 r12313: Introduce yet another copy of the string_sub function:
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.

realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.

Volker
(This used to be commit be6c9012da)
2007-10-10 11:05:53 -05:00
Günther Deschner
cf974b8d60 r11851: Display correct error string.
Guenther
(This used to be commit 4d681f560e)
2007-10-10 11:05:30 -05:00
Volker Lendecke
e6296083c2 r11667: Fix a debug message
(This used to be commit d1f506fa13)
2007-10-10 11:05:24 -05:00
Gerald Carter
a4d729bdfa r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.
Also remove the mem_ctx from the netsamlogon_cache_store() API.

Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d282)
2007-10-10 11:05:23 -05:00
Gerald Carter
ce0a1fa159 r11652: Reinstate the netsamlogon_cache in order to work
around failed query_user calls.  This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.

As per comments on samba-technical, I still need to add

(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away

Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b)
2007-10-10 11:05:23 -05:00
Jeremy Allison
fcceedd67c r11573: Adding Andrew Bartlett's patch to make machine account
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef8663)
2007-10-10 11:05:20 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
bc9c617b16 r10268: Fix for bug #3095 - winbindd checking credentials.
Jeremy.
(This used to be commit e58d8ee055)
2007-10-10 11:03:40 -05:00
Gerald Carter
dab71bed4e r9588: remove netsamlogon_cache interface...everything seems to work fine. Will deal with any fallout from special environments using a non-cache solution
(This used to be commit e1de6f238f)
2007-10-10 11:03:22 -05:00
Volker Lendecke
b62247f1ee r7785: This looks much larger than it is. It changes the top-level functions of the
parent winbind not to return winbindd_result. This is to hopefully fix all the
problems where a result has been scheduled for write twice.

The problematic ones have been the functions that might have been delayed as
well as under other circumstances immediately gets answered from the cache.

Now a request needs to be explicitly replied to with a request_error() or
request_ok().

Volker
(This used to be commit 7365c9accf)
2007-10-10 10:57:20 -05:00
Gerald Carter
1dfe111a09 r7454: couple of winbindd fixes
* make sure to use our domain as the account name in the net_req_auth2()
  request when running on a Samba DC
* make sure to lookup the correct domain (not default to ours) when getting an async
  getpwnam() call
(This used to be commit c9c3e3c122)
2007-10-10 10:57:09 -05:00
Gerald Carter
fed660877c r7415: * big change -- volker's new async winbindd from trunk
(This used to be commit a0ac9a8ffd)
2007-10-10 10:57:08 -05:00
Volker Lendecke
aa9132cc55 r5331: Support SIDs as %s replacements in the afs username map parameter.
Add 'log nt token command' parameter. If set, %s is replaced with the user
sid, and %t takes all the group sids.

Volker
(This used to be commit e7dc9fde45)
2007-10-10 10:55:37 -05:00
Günther Deschner
992ad28485 r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting
acct_flags with bizarre values, breaking a lot of things.

This patch is successfully running in a production environment for quite
some time now and is required to finally allow Exchange 5.5 to access
another Exchange Server when both are running on NT4 in a
samba-controlled domain. This also allows Exchange Replication to take
place, Exchange Administrator to access other Servers in the network,
etc. Fixes Bugzilla #1136.

Thanks abartlet for helping me with that one.

Guenther
(This used to be commit bd4c5125d6)
2007-10-10 10:53:41 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Andrew Bartlett
f219db7d69 r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix the
naming of the require_membership_of parameter in pam_winbind and fix
the error code for 'you didn't specify a domain' in ntlm_auth.

Andrew Bartlett
(This used to be commit 4bf0b94011)
2007-10-10 10:52:51 -05:00
Andrew Bartlett
e357bc3216 r2755: Fix NTLMv2 for use with pam_winbind, the plaintext ntlm_auth modes,
and the wbinfo -a test tool.

If 'client ntlmv2 auth' is set, then we will send an NTLMv2, rather
than an NT/LM response to the server.

Andrew Bartlett
(This used to be commit ce2456e436)
2007-10-10 10:52:51 -05:00
Gerald Carter
0138c08516 r2177: use the correct counter when copying group rids from the user_info3 struct; patch from Dimitri van der Spek <dwspek@aboveit.nl>
(This used to be commit aa89806deb)
2007-10-10 10:52:34 -05:00
Gerald Carter
ed5fd7117e r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling in the username in the user_info3
(This used to be commit 4703a71fa8)
2007-10-10 10:52:31 -05:00
Günther Deschner
6fb06bbc1a r1887: Fix deadlock loop in winbind's required_membership_sid-verification.
Guenther
(This used to be commit a0a6d7d72f)
2007-10-10 10:52:23 -05:00
Andrew Bartlett
9d0783bf21 r1492: Rework our random number generation system.
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().

For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation.  This removes the 'need_reseed'
parameter from generate_random_buffer().

Andrew Bartlett
(This used to be commit 36741d3cf5)
2007-10-10 10:52:13 -05:00
Jeremy Allison
7d9019432f r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.
Jeremy.
(This used to be commit c23a73324b)
2007-10-10 10:51:29 -05:00
Gerald Carter
829f10ba51 r333: other half of fix for winbindd crask from gd@suse.de
(This used to be commit f902d52c82)
2007-10-10 10:51:20 -05:00
Volker Lendecke
c271c86180 r319: Fix a segfault in winbind. Thanks to Guenther Deschner for his valgrind log
:-)

Volker
(This used to be commit 91296a6003)
2007-10-10 10:51:18 -05:00
Andrew Bartlett
869348dfcb r84: Implement --required-membership-of=, an ntlm_auth option that restricts
all authentication to members of this particular group.

Also implement an option to allow ntlm_auth to get 'squashed' error codes,
which are safer to communicate to remote network clients.

Andrew Bartlett
(This used to be commit eb1c1b5eb0)
2007-10-10 10:51:07 -05:00
Andrew Bartlett
d17425ed52 r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could
be anything, and may not be based on anything 'NT'.  This is also what microsoft
calls it.
(This used to be commit 724e8d3f33)
2007-10-10 10:51:06 -05:00
Volker Lendecke
56e7c149ba This restructures lib/afs.c so that the token data can be but into a
stream. This is to implement wbinfo -k that asks winbind for authentication
which then creates the AFS token for the authenticated user.

Volker
(This used to be commit 2df6750a07)
2004-04-01 12:31:50 +00:00
Andrew Bartlett
784b05c489 This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.

This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.

Andrew Bartlett
(This used to be commit 2a2b1f0c87)
2004-01-26 08:45:02 +00:00
Andrew Bartlett
ade34c9ade Remove duplicate comment.
Andrew Bartlett
(This used to be commit b0b2010461)
2004-01-14 01:17:21 +00:00
Andrew Bartlett
c88d6d87ef Grumble... grumble... fix the build...
(This used to be commit 687aececa6)
2004-01-05 05:07:59 +00:00
Andrew Bartlett
a7f8c26d24 Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.

Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.

Now if DNS comes back negative, we fall straight back to looking up the
short name.

Andrew Bartlett
(This used to be commit 32397c8b01)
2004-01-05 04:10:28 +00:00
Andrew Bartlett
5d55674b52 Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)

By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.

This allows pam_winbind to co-exist with other pam modules for password changes.

Andrew Bartlett
(This used to be commit 6a8cc7f012)
2003-12-31 08:45:03 +00:00
Andrew Bartlett
bcd0e51e28 Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
(This used to be commit 3225f262b1)
2003-12-30 22:27:33 +00:00
Andrew Bartlett
829188b34f Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

Andrew Bartlett
(This used to be commit 7a3a5a6361)
2003-12-30 13:20:39 +00:00
Andrew Bartlett
3f0d0002ae Add a comment, and a useful debug message.
(This used to be commit df14b0af31)
2003-11-25 23:24:14 +00:00
Andrew Bartlett
fcbfc7ad06 Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
2003-11-22 13:19:38 +00:00
Andrew Tridgell
e1c468477c a small include file rearrangement that doesn't affect normal
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1d)
2003-11-12 01:51:10 +00:00