1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

92 Commits

Author SHA1 Message Date
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
a647df4607 auth: Make check_password and generate_session_info hook generic
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info.  This will allow the
calling logic to be put in common.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
f5a117172e gensec: move gensec_util.c to the top level
To do this some defines need to move to common_auth.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:02:41 +01:00
Andrew Bartlett
14c8a13d3e auth: make auth4_context common to provide access to generate_session_info_pac()
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:59:34 +01:00
Andrew Bartlett
06bbb8a6fb s4-auth: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:30:07 +11:00
Andrew Bartlett
149f8f16be s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.

This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29 01:10:58 +01:00
Andrew Bartlett
5815a1b777 s4-auth Remove unused auth_context_create_from_ldb() 2011-12-28 22:39:20 +11:00
Andrew Bartlett
f5963aad18 s4-auth Move conversion of security_token to unix_token to auth
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Andrew Bartlett
e84b8a72bd gensec: Add a way to request a unix token from GENSEC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Andrew Bartlett
ea0ac9cdfc s4-auth Rename auth -> auth4 to avoid conflict with s3 auth 2011-05-08 10:56:26 +02:00
Andrew Tridgell
5c3e985fb5 s4-auth: remove unused prototype 2011-05-08 10:56:26 +02:00
Andrew Bartlett
cdd802af83 s4-messaging Rename messaging -> imessaging
This avoid symbol and structure conflicts between Samba3 and Samba4,
and chooses a less generic name.

Andrew Bartlett
2011-05-03 07:37:07 +02:00
Simo Sorce
a57c2b02f1 Fix public header not to include private (not installed) ones.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 17:01:20 +01:00
Günther Deschner
dc35442fb1 s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
Guenther
2011-03-04 01:18:42 +01:00
Andrew Bartlett
e3821f2c40 s4-auth Move libcli/security/session.c to the top level
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.

Andrew Bartlett
2011-02-22 16:20:11 +11:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
f1c0e9532d s4-auth Add auth.idl to encode auth subsystem structures in IDL
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
24a4b9a738 s4-auth Extend python bindings to allow ldb and message to be specified
This will allow for some more tokenGroups tests in future.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
6f7423c7f1 s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Anatoliy Atanasov
211f6d5f55 s4/auth: Add logon_parameters to authenticate_username_pw
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.

Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov  5 06:32:43 UTC 2010 on sn-devel-104
2010-11-05 06:32:43 +00:00
Andrew Tridgell
7dbfeb0dc0 s4-auth: fixed the SID list for DCs in the PAC
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-09-26 07:09:08 +00:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00
Andrew Bartlett
9c6b637ce8 s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.

In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.

This also takes more care to allocate the right length ptoken->sids

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
feb9ffdac8 s4:auth Add dependency from the operational module onto auth
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
72ccbcacdd s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
5f9024c8a4 s4:auth Move BUILTIN group addition into session.c
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.

Andrew Bartlett
2010-05-20 17:39:09 +10:00
Andrew Bartlett
589a42e2da s4:auth Change auth_generate_session_info to take an auth context
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.

However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.

In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'.  This allows us to
use the auth_context in processing the authentication reply .

Andrew Bartlett
2010-04-14 10:30:51 +10:00
Matthias Dieter Wallnöfer
1f371cdbe5 s4:sam.c - make "authsam_expand_nested_groups" public
This is needed by the "tokenGroups" work in the operational LDB module.
2010-03-04 18:16:22 +01:00
Brad Hards
4b024683ac Spelling fixes for source4/auth.
The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above.

Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-02-22 21:45:37 +01:00
Simo Sorce
3d184399a5 Strip trailing spaces 2010-01-12 13:50:24 -05:00
Stefan Metzmacher
8b68349442 s4:auth: add auth_get_server_info_principal() prototype to auth.h
metze
2009-12-29 12:13:30 +01:00
Stefan Metzmacher
27349a68ea s4:auth: make auth_challenge_may_be_modified() public
metze
2009-12-29 12:13:29 +01:00
Stefan Metzmacher
078482ad0e s4:auth: change auth_check_password_send/recv to tevent_req
metze
2009-12-24 17:38:34 +01:00
Andrew Bartlett
0809696dbf s4:auth Change 'get_challenge' API to be more like Samba3
It is just easier to fill in the known to be 8 byte challenge than
stuff about with allocated pointers.

Andrew Bartlett
2009-12-22 17:29:15 +11:00
Andreas Schneider
1e5488859a s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn. 2009-12-16 20:28:38 +01:00
Andrew Tridgell
98e4393df9 s4-dsdb: create a static system_session context
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
2009-10-23 14:52:17 +11:00
Andrew Bartlett
19bc4ce95c s4:kdc Rework KDC to pull in less attributes for krbtgt lookups
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case.  Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.

Andrew Bartlett
2009-07-17 08:26:49 +10:00
Andrew Bartlett
19413c5249 s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett
2009-06-18 13:49:30 +10:00
Andrew Bartlett
6ef65389fd Don't use crossRef records to find our own domain
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.

Andrew Bartlett
2009-05-26 12:37:09 +10:00
Andrew Bartlett
cd6026135d Push sam_get_server_info_principal into the auth subsystem
This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)

Andrew Bartlett
2009-02-13 14:02:49 +11:00
Andrew Bartlett
71632a1697 Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.

This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.

Andrew Bartlett
2009-02-13 10:24:16 +11:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Stefan Metzmacher
180245fce0 s4:kdc: allow a trusted domain to get kerberos tickets
metze
2008-12-04 15:45:16 +01:00
Andrew Bartlett
c79dff2e9b Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the:
 - LOCAL-PAC test
 - gensec_gssapi server
 - KDC (where is was already used, the support code refactored from here)

In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.

Andrew Bartlett
(This used to be commit 418b440a7b)
2008-08-28 16:28:47 +10:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
51db4c3f3d r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack.
(This used to be commit ba75f1613a)
2007-12-21 05:47:05 +01:00
Jelmer Vernooij
181aab56d5 r26221: Add loadparm_context parameter to auth_context_create.
(This used to be commit a9a9634df8)
2007-12-21 05:46:58 +01:00
Jelmer Vernooij
4340fc2d9e r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step.
(This used to be commit b3fcb8e810)
2007-12-21 05:46:14 +01:00