1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

59 Commits

Author SHA1 Message Date
Richard Sharpe
0f9f5bab27 Convert all uses of uint32/16/8 to _t in source3/auth.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-13 19:11:24 +02:00
Jeremy Allison
60895e62fe s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
Core fix for:

https://bugzilla.samba.org/show_bug.cgi?id=11044

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Stefan Metzmacher
3dcc321daf s3:auth: add some const to user_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Stefan Metzmacher
c6d3571650 s3:auth: add missing auth_samba4_init() prototype
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Jeremy Allison
db775c68cc s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
527f7b5438 s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
make_server_info_info3() only reads from the info3 pointer.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
c2411767ad s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Andrew Bartlett
b7b5a1f5bd auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top level
This allows auth_winbind in source4 to use this more correct conversion routine.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-18 20:08:09 +02:00
Andrew Bartlett
4d50c75159 s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-04-02 11:05:46 +02:00
Andreas Schneider
79e2725f33 s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
2014-02-19 01:28:14 +01:00
Andreas Schneider
4d792db03f s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn@samba.org>

Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-19 11:29:29 +13:00
Andreas Schneider
3dc7226600 s3-auth: Pass mem_ctx to make_server_info_sam().
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn@samba.org>

Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-19 11:29:29 +13:00
Andreas Schneider
1b59c9743c s3-auth: Pass talloc context to make_server_info_pw().
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-05 11:41:25 +13:00
Andreas Schneider
1bb11c7744 s3-auth: Add passwd_to_SamInfo3().
First this function tries to contacts winbind if the user is a domain
user to get valid information about it. If winbind isn't running it will
try to create everything from the passwd struct. This is not always
reliable but works in most cases. It improves the current situation
which doesn't talk to winbind at all.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-05 11:41:25 +13:00
Günther Deschner
f2d9589b17 s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
645289216e s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Gregor Beck
c9a2111b00 s3:auth: use const in smb_pam_xxx_session()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:58 +02:00
Michael Adam
7aa0d7c55f s3:auth: remove duplicate propotypes for smb_pam_claim_session and smb_pam_close_session
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:58 +02:00
Andrew Bartlett
1c3c5e2156 s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
When a user owns a file, but does not have specific permissions on that file, we need to
make up the user permissions.  This change ensures that the first thing that we do
is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
and directly create the token via the SID.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-08-10 14:38:47 -07:00
Andrew Bartlett
4edd8b891a s3-auth: Remove auth_netlogond
auth_netlogond was an important module in the development of the
combined Samba 4.0, and was the first module to link smbd with the AD
authentication store, showing that it was possible for NTLM
authentication to be offloaded to the AD server components.

We now have auth_samba4, which provides the full GENSEC stack to smbd,
which also matches exactly the group membership and privileges
assignment and which is supported and tested as part of the official
Samba 4.0 release configuration.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
2012-06-16 10:13:20 +02:00
Andreas Schneider
78af4738e7 s3-auth: Rename to init_system_session_info().
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
2012-05-15 13:56:00 +02:00
Stefan Metzmacher
413e1be773 s3:auth: remove unused auth_server.c
metze
2012-05-15 08:18:29 +02:00
Volker Lendecke
aff3769d9f s3: remove some unused code 2012-05-04 15:02:41 +02:00
Alexander Bokovoy
7d4ed89983 s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption.
However, this was not done for trusted domain-related modifying operations.

As result, Samba 4 client libraries do not work against Samba 3 while working
against Windows 2008 r2.

Solved this by introducing "session_extract_session_key()" function that allows to specify
intent of use of the key.

Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
2012-03-13 12:23:44 +01:00
Andrew Bartlett
77602d877e s3-auth: Remove single-implementation plugin layer
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value.  Make it easier to follow by
just calling the function directly.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Andrew Bartlett
4478f315e6 s3-auth: Provide helper routine to check password and return session_info 2012-02-24 11:23:18 +11:00
Andrew Bartlett
8a9b6fe26d s3-auth: Add a way to get an auth4_context from the auth stack
This will allow us to use the same layer that auth_ntlmssp does
in the non-SPNEGO session setup, which will in turn make the
authentication code more consistent in the AD server case.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e786e8fef9 auth: Reorder arguments to generate_session_info
This matches check_ntlm_password() and generate_session_info_pac()

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-18 02:19:35 +01:00
Andrew Bartlett
8adde1b46b s3-auth Hook checking passwords and generating session_info via the auth4_context
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
89cd086561 s3-auth Add const to make_user_info_map 2012-02-08 16:30:14 +11:00
Andrew Bartlett
3042e38d51 s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1075efabc7 s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear.  So far only the
clear cases have been moved from NULL however.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
d76abd1c45 s3-auth: Remove protype for already-removed auth_ntlmssp_start 2011-12-28 22:39:19 +11:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
915fe7981b s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:02 +02:00
Günther Deschner
234f06eae1 s3-auth: remove dead prototype.
Guenther
2011-10-17 15:56:08 +02:00
Andrew Bartlett
7b1d6a6a05 selftest: test plugin_s4_dc against all ncacn_np tests
Changes to the s3 epmapper behaviour seem to have fixed the rest of these
tests.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
8fca9741fe s3-auth rename auth_ntlmssp_steal_session_info()
There is no longer any theft of memory as the underlying routines now
produce a new auth_session_info for this caller, allocating it
on the supplied memory context.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
9f663270fd s3-auth Add function to start any GENSEC mech by OID
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
9a45bf3952 s3-auth set session_info->sanitized_username in create_local_token()
Rather than passing this value around the callers, and eventually
setting it in register_existing_vuid(), we simply pass it to
create_local_token().  This also removes the need for
auth_ntlmssp_get_username().

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
8b983d2326 s3-ntlmssp Split auth_ntlmssp_start into two functions
This helps map on to the GENSEC semantics better, and ensures that the
full set of desired features are set before the mechanism starts.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
8a650243b3 s3-auth Move map to guest to directly after the check_password calls
This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:02 +10:00
Andrew Bartlett
15123d96ff s3-auth inline make_auth_session_info into only caller 2011-07-20 09:17:15 +10:00
Andrew Bartlett
9fcc617ff5 s3-auth Use the common auth_session_info
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.

This will allow of our session handling to be accomplished with common code.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
058f5e60c5 s3-auth remove unused copy_serverinfo
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:11 +10:00
Andrew Bartlett
f16d8f4eb8 s3-auth Use struct auth3_session_info outside the auth subsystem
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)

The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
d7d8a5ed94 s3-auth Add struct auth3_session_info to aid transition to auth_session info
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.

This commit adds the structure definition and some helper functions to
copy between the two structures.

At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code.  The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.

By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.

By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
e244319599 s3-auth Add const to indicate input elements
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00