1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-29 11:21:54 +03:00
Commit Graph

684 Commits

Author SHA1 Message Date
Jeremy Allison
5d05d22999 Added prefer_ipv4 bool parameter to resolve_name().
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
2009-07-28 11:51:58 -07:00
Jeremy Allison
9f0bdd4e17 Remove an unused talloc context.
Jeremy.
2009-07-16 18:12:17 -07:00
Jeremy Allison
74c405db40 Tidyup prompted by #6554 - Wrong deallocation in sam_account_ok.
Jeremy.
2009-07-16 09:54:14 -07:00
Stefan Metzmacher
75d03970b7 s3:smbd: move more session specific globals to struct smbd_server_connection
metze
2009-06-03 17:54:37 +02:00
Stefan Metzmacher
e16e7146b3 s3:smbd: move negprot related globals to struct smbd_server_connection
metze
2009-06-03 17:54:37 +02:00
Steven Danneman
fbca269239 s3/auth map NULL domains to our global sam name
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.

This fix was being circumvented in the case where the client passed
a NULL domain.  Vista clients do this.  In that case smbd was always
remapping the name to the machine workgroup.  The NULL domain case
should also be mapped to the global sam name.

Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.
2009-05-28 13:21:15 -07:00
Dan Sledz
c71d4530b4 s3 auth: Make debug message louder and more useful 2009-05-12 17:13:40 -07:00
Jeremy Allison
b4c9cfb2af Fix a bunch of compiler warnings about wrong format types.
Should make Solaris 10 builds look cleaner.
Jeremy.
2009-05-11 21:56:57 -07:00
Günther Deschner
2d5e0eadb8 s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().
Patch from Jeremy.

With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.

There are still two registry settings required:

        HKLM\System\CCS\Services\LanmanWorkstation\Parameters
	            DWORD  DomainCompatibilityMode = 1
		    DWORD  DNSNameResolutionRequired = 0

Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.

Guenther
(cherry picked from commit b5097d54cb)
2009-05-07 19:25:46 +02:00
Jeremy Allison
d47669684d Fix bug #6291 - force user stop working.
A previous fix broke the invariant that *uid is always
initialized on return from create_token_from_username().
Restore it.
Jeremy.
2009-04-28 11:07:51 -07:00
Andrew Bartlett
8ee7b4ce29 s3:auth Fix segfault: Always initialise returned session keys 2009-04-19 21:50:13 +02:00
Andrew Bartlett
baf7274fed Make Samba3 use the new common libcli/auth code
This is particuarly in the netlogon client (but not server at this
stage)
2009-04-14 16:23:44 +10:00
Andrew Bartlett
f28f113d8e Rework Samba3 to use new libcli/auth code (partial)
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).

We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server

Andrew Bartlett
2009-04-14 16:23:35 +10:00
Günther Deschner
01a942d8ab s3-auth: rename static smb_create_user(). Sorry...
Guenther
2009-04-01 21:44:14 +02:00
Steven Danneman
61bedb4263 s3: fix guest auth when winbindd is running
This fix is very subtle.  If a server is configured with "security = share"
and "guest ok = yes" and winbindd is running authorization will fail during
tree connect.

This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid
through sid_to_uid().  Winbindd is unaware of the hard coded mapping
between this sid and whatever uid the name in lp_guestaccount() is assigned.
So sid_to_uid() fails and we exit create_token_from_username() without
ever calling pdb_getsampwsid() which IS aware of the hard coded mapping.

This patch just reorganizes the code, moving sid_to_uid() down to the
block of code in which it is needed, avoiding this early failure.
2009-02-26 19:47:43 -08:00
Tim Prouty
662f996b15 s3: Fix 'assignment differ in signedness' warning 2009-02-25 00:14:23 -08:00
Dan Sledz
aeab22b55c s3: Rename auth_onefs_wb and pdb_onefs_sam
auth_onefs_wb.c -> auth_wbc.c
pdb_onefs_sam.c -> pdb_wbc_sam.c

No changes to functionality
2009-02-24 16:08:06 -08:00
Tim Prouty
1ff9696306 Revert "s3 auth: Add parameter that forces every user through an NSS lookup"
After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change.  The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.

This reverts commit 8e19a28805.
2009-02-21 14:00:14 -08:00
Volker Lendecke
4a2e2c0c12 Fix the build on Solaris 2009-02-21 18:55:35 +01:00
Volker Lendecke
a3127ea9d7 Fix some nonempty blank lines 2009-02-21 14:04:16 +01:00
Volker Lendecke
4aed9abbf8 Remove the static "chal" from ntlmssp.c:get_challenge() 2009-02-21 14:04:14 +01:00
Dan Sledz
c383022f89 Introduce a new authentication backend auth_onefs_wb
This new backend is custom tailored to onefs' unique requirements:
1) No fallback logic
2) Does not validate the domain of the user
3) Handles unencrypted passwords
2009-02-20 19:39:07 -08:00
Zach Loafman
8e19a28805 s3 auth: Add parameter that forces every user through an NSS lookup
When set to yes, "force username map" forces every user, even AD
users, through an NSS lookup. This allows the token to be overridden
with information from NSS in certain broken environments.
2009-02-16 00:29:21 -08:00
Stefan Metzmacher
e7f7ed8bf6 s3:auth: only create_local_token() should add S-1-22-X-Y sids
metze
2009-02-13 10:40:37 +01:00
Stefan Metzmacher
f14e4d4e54 s3:auth: add S-1-22-X-Y sids to the local token
metze
2009-02-13 10:40:37 +01:00
Steven Danneman
5cd4b7b7c0 s3: Added new parameter "map untrusted to domain"
When enabled this reverts smbd to the legacy domain remapping behavior when
a user provides an untrusted domain

This partially reverts d8c54fdd
2009-02-12 13:55:44 -08:00
Dan Sledz
d8c54fddda s3: Change behavior when seeing an unknown domain.
After a lot of testing against various Windows servers (W2K, W2K3, W2K8),
within an AD domain it seems that unknown domains will only be translated
to the local account domain, not the netbios name of the member server's
domain.  This makes samba act more like Windows.
2009-02-11 19:39:18 -08:00
Dan Sledz
4e69f23857 Fix double free caused by incorrect talloc_steal usage. 2009-02-11 19:39:14 -08:00
todd stecher
9d4d2f70cb S3: Fixes for coverity issues. 2009-02-10 14:43:14 -08:00
Volker Lendecke
1cbc58d3be Fix some nonempty blank lines 2009-02-10 21:55:13 +01:00
Volker Lendecke
9b3cce096c Fix a valgrind error: rpc_bind talloc_move()s the auth struct 2009-02-04 18:11:46 +01:00
Volker Lendecke
8eb562a81d Ensure null termination of the password in mymachinepw, remove a debug 2009-02-04 18:11:46 +01:00
todd stecher
989ad44d32 Memory leaks and other fixes found by Coverity 2009-01-21 17:13:03 -08:00
Volker Lendecke
2bb1266796 Fix a typo 2009-01-21 11:21:00 +01:00
Volker Lendecke
d7d251f8c7 Fix some nonempty blank lines 2009-01-20 23:10:16 +01:00
Volker Lendecke
bb8ca0fdbf Make cli_negprot return NTSTATUS instead of bool 2008-12-19 10:28:30 +01:00
Jeremy Allison
15e1fd7c54 Fix bug #1254 - write list not working under share-level security
A somewhat more elegant fix than I could use for 3.2.x or 3.0.x.
Turns out the only part of check_user_ok() that needs to change
for share level security is the VUID cache pieces, so I can just
always use check_user_ok() for all lp_security() cases.
Jeremy
2008-12-04 11:20:57 -08:00
Volker Lendecke
3c98d5bd98 Make memcache_add_talloc NULL out the source pointer
This is an orthogonality measure to make clear this pointer now belongs to the
cache.
(cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
2008-11-14 20:27:46 +01:00
Jeremy Allison
8962be69c7 Make us clean under valgrind --leak-check=full by using talloc_autofree_context() instead of NULL.
Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting
to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should
be deleted when their parent context is deleted, so freeing them at some arbitrary point later
will be a double-free.
Jeremy.
2008-11-06 20:48:13 -08:00
Jeremy Allison
8b4b5c3a92 Add wrapper str_list_make_v3() to replace the old S3 behavior of
str_list_make(). From Dan Sledz <dan.sledz@isilon.com>:
In samba 3.2 passing NULL or an empty string returned NULL.
In master, it now returns a list of length 1 with the first string set
to NULL (an empty list).
Jeremy.
2008-11-06 18:53:00 -08:00
Jelmer Vernooij
d6a5476ee7 Use sockaddr_storage only where we rely on the size, use sockaddr
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
2008-10-23 19:53:15 +02:00
Jelmer Vernooij
aa982895e5 Add data_blob_string_const_null() function that includes the terminating
null byte and use it in Samba 3.

This matches the behaviour prior to my data_blob changes.
2008-10-13 05:20:26 +02:00
Jelmer Vernooij
218f482fbf Use common strlist implementation in Samba 3 and Samba 4. 2008-10-12 00:56:56 +02:00
Jelmer Vernooij
cb78d4593b Cope with changed signature of http_timestring(). 2008-10-11 23:57:44 +02:00
Volker Lendecke
439086099a Add netlogond auth method
This authenticates against a local running samba4 using SamLogonEx. We retrieve
the machine password using samba4's mymachinepwd script and store the schannel
key for re-use in secrets.tdb.
2008-10-06 09:54:17 +02:00
Jeremy Allison
f6c883b4b0 Simply our main loop processing. A lot :-). Correctly use events for all the previous "special" cases.
A step on the way to adding signals to the events and being able to merge the S3 event system with
the S4 one.
Jeremy.
2008-10-03 14:18:35 -07:00
Simo Sorce
3fa16da8c7 Revert "Split lookup_name() and create a new functiong called"
This reverts commit 8594edf666.
(This used to be commit ad462e2e2d)
2008-09-03 14:36:43 -04:00
Simo Sorce
a1de4e988d Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-devel
(This used to be commit e038f1cf9f)
2008-08-26 18:56:49 -04:00
Günther Deschner
ab5076d9fd auth: Fix build warning.
Guenther
(This used to be commit 4661ef625a)
2008-08-25 11:36:56 +02:00
Simo Sorce
5e7655fa27 Split lookup_name() and create a new functiong called
lookup_domain_name(). This new function accept separated
strings for domain and name.
(This used to be commit 8594edf666)
2008-08-17 19:54:41 -04:00