1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

83 Commits

Author SHA1 Message Date
Andrew Bartlett
d17425ed52 r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could
be anything, and may not be based on anything 'NT'.  This is also what microsoft
calls it.
(This used to be commit 724e8d3f33)
2007-10-10 10:51:06 -05:00
Volker Lendecke
56e7c149ba This restructures lib/afs.c so that the token data can be but into a
stream. This is to implement wbinfo -k that asks winbind for authentication
which then creates the AFS token for the authenticated user.

Volker
(This used to be commit 2df6750a07)
2004-04-01 12:31:50 +00:00
Andrew Bartlett
784b05c489 This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.

This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.

Andrew Bartlett
(This used to be commit 2a2b1f0c87)
2004-01-26 08:45:02 +00:00
Andrew Bartlett
ade34c9ade Remove duplicate comment.
Andrew Bartlett
(This used to be commit b0b2010461)
2004-01-14 01:17:21 +00:00
Andrew Bartlett
c88d6d87ef Grumble... grumble... fix the build...
(This used to be commit 687aececa6)
2004-01-05 05:07:59 +00:00
Andrew Bartlett
a7f8c26d24 Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.

Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.

Now if DNS comes back negative, we fall straight back to looking up the
short name.

Andrew Bartlett
(This used to be commit 32397c8b01)
2004-01-05 04:10:28 +00:00
Andrew Bartlett
5d55674b52 Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)

By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.

This allows pam_winbind to co-exist with other pam modules for password changes.

Andrew Bartlett
(This used to be commit 6a8cc7f012)
2003-12-31 08:45:03 +00:00
Andrew Bartlett
bcd0e51e28 Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
(This used to be commit 3225f262b1)
2003-12-30 22:27:33 +00:00
Andrew Bartlett
829188b34f Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

Andrew Bartlett
(This used to be commit 7a3a5a6361)
2003-12-30 13:20:39 +00:00
Andrew Bartlett
3f0d0002ae Add a comment, and a useful debug message.
(This used to be commit df14b0af31)
2003-11-25 23:24:14 +00:00
Andrew Bartlett
fcbfc7ad06 Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
2003-11-22 13:19:38 +00:00
Andrew Tridgell
e1c468477c a small include file rearrangement that doesn't affect normal
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1d)
2003-11-12 01:51:10 +00:00
Gerald Carter
6d3af0eff0 fixing a bug in the retry loop for winbindd_pam_auth[_crap]()
(This used to be commit a83266a927)
2003-09-24 01:22:59 +00:00
Jeremy Allison
c699cb78ac Obviously correct typo bugfix from Lin Li <linl@xandros.com>.
Jeremy.
(This used to be commit a43ca66290)
2003-09-17 17:56:16 +00:00
Gerald Carter
154451465b fix valgrind errors; don't access cli_state pointer after it has been shutdown
(This used to be commit 02ae82fb3f)
2003-09-08 13:53:19 +00:00
Gerald Carter
5bd4af1302 fix bug 382: make sure to free and reset the cli_state pointer after flushing connections in winbindd_pam_auth[_crap]()
(This used to be commit 60c8796edd)
2003-09-06 19:49:59 +00:00
Tim Potter
dffd0f379f Fix for bug 269. Change wbinfo and ntlm_auth to convert domain, username
and workstation to utf8 before sending the winbindd request.  Also, don't
continue when the call to pull_utf8() fails but rather return a winbind
error.  (This is what was causing the crash)
(This used to be commit ca1c463360)
2003-08-12 00:46:15 +00:00
Gerald Carter
0d087e3ba2 working on transtive trusts issue:
* use DsEnumerateDomainTrusts() instead of LDAP search.
    wbinfo -m now lists all trusted downlevel domains and
    all domains in the forest.

Thnigs to do:

  o Look at Krb5 connection trusted domains
  o make sure to initial the trusted domain cache as soon
    as possible
(This used to be commit 0ab00ccaed)
2003-07-31 05:43:47 +00:00
Tim Potter
80c1f1d865 Fixup a bunch of printf-style functions and debugs to use unsigned long when
displaying pid_t, uid_t and gid_t values.  This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba00)
2003-07-22 04:31:20 +00:00
Rafal Szczesniak
bbd4c98b06 Typo fixes.
(This used to be commit 85df8213fc)
2003-07-20 14:50:38 +00:00
Gerald Carter
16ff7b26f6 Large set of changes to add UNIX account/group management
to winbindd.  See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c)
2003-07-09 16:44:47 +00:00
Gerald Carter
0b18acb841 and so it begins....
* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
2003-07-07 05:11:10 +00:00
Gerald Carter
62370b093a fix for bug #200. flush connections if the machine trsut account
changed underneath us.
(This used to be commit 6a1ad1ded1)
2003-07-03 16:23:11 +00:00
Gerald Carter
f265935101 * rename samstrict auth method to sam
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
  winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee7)
2003-06-30 17:24:59 +00:00
Gerald Carter
b8723aaa65 Here's the code to make winbindd work on a Samba DC
to handle domain trusts.  Jeremy and I talked about this
and it's going in as working code.  It keeps winbind clean
and solves the trust problem with minimal changes.

To summarize, there are 2 basic cases where the deadlock would
occur.  (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.

o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
  the username includes the 'winbind separator'.

o Case #2 is handled by adding checks in winbindd to return failure
  if we are a DC and the domain matches our own.

This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain').  The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.

Other misc fixes:

  * we need to fix check_ntlm_password() to be able to determine
    if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
    etc...).  I worked around my specific situation, but this needs to be
    fixed.  the winbindd auth module was causing delays.
  * fix named server mutex deadlock between trust domain auth module
    and winbindd looking up a uid
  * make sure SAM_ACCOUNT gets stored in the server_info struct for the
    _net_sam_logon() reply.

Configuration details:

The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.

  * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
  * create domain trusts like normal
  * join winbind on the pdc to the Samba domain using 'net rpc join'
  * add normal parameters to smb.conf for winbind
  * set 'auth method = guest sam winbind'
  * start smbd, nmbd, & winbindd

Problems that remain:

  * join a Windows 2k/XP box to a Samba domain.
  * create a 2-way trust between the Samba domain
    and an NT domain
  * logon to the windows client as a user from theh trusted
    domain
  * try to browse server in the trusted domain (or other
    workstations).  an NT client seems to work ok, but 2k
    and XP either prompt for passwords or fail with errors.

apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9)
2003-06-29 03:39:50 +00:00
Gerald Carter
93bcb9963b merge of the netsamlogon caching code from APPLIANCE_HEAD
This replaces the universal group caching code (was originally
based on that code).  Only applies to the the RPC code.

One comment: domain local groups don't show up in 'getent group'
that's easy to fix.

Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.

netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc)
2003-06-21 04:05:01 +00:00
Volker Lendecke
d1da999e0a This puts real netlogon connection caching to winbind. This becomes
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.

Volker
(This used to be commit 5b3cb7725a)
2003-05-08 08:02:52 +00:00
Andrew Bartlett
f071020f5e Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
(This used to be commit 876e00fd11)
2003-04-21 14:09:03 +00:00
Andrew Bartlett
d23b35a65f Winbind merges from HEAD:
- fix winbindd_pam bugs
 - give a better error message for unauthorized access to auth_crap
 - show this message in wbinfo
 - fix spelling: privilaged -> privileged
   ** This changes the location of the winbindd privileged pipe **
   (thanks to tpot)

Andrew Bartlett
(This used to be commit 92c2a33483)
2003-04-07 07:32:51 +00:00
Andrew Bartlett
53beee9e56 (merge from HEAD)
NTLM Authentication:

- Add a 'privileged' mode to Winbindd.  This is achieved by means of a directory
  under lockdir, that the admin can change the group access for.

- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
  replacement:
 - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
   challenge.
 - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
   servers.
 - Tested - works for Win2k clients, but not Win9X at present.  NTLMSSP updates
   are needed.
 - Now uses fgets(), not x_fgets() to cope with Squid environment (I think
   somthing to do with non-blocking stdin).

- Add much more robust connection code to wb_common.c - it will not connect to
  a server of a different protocol version, and it will automatically try and
  reconnect to the 'privileged' pipe if possible.
  - This could help with 'privileged' idmap operations etc in future.

- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()

- Correctly pull our 'session key' out of the info3 from th the DC.  This is
  used in both the auth code, and in for export over the winbind pipe to
  ntlm_auth.

- Given the user's challenge/response and access to the privileged pipe,
  allow external access to the 'session key'.  To be used for MSCHAPv2
  integration.

Andrew Bartlett
(This used to be commit ec071ca3dc)
2003-03-24 09:54:13 +00:00
Jeremy Allison
8fc1f1aead Ensure that only parse_prs.c access internal members of the prs_struct.
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b4)
2003-02-14 22:55:46 +00:00
Gerald Carter
0e15bf6f6a winbindd merges from HEAD
(This used to be commit 8bd91a50d4)
2003-01-15 17:39:47 +00:00
Jeremy Allison
f1bebee955 Typo..
Jeremy
(This used to be commit 899d353a56)
2003-01-02 20:25:59 +00:00
Jeremy Allison
da41ac6e6b Merge Andrew Bartletts (size_t)-1 checks.
Jeremy.
(This used to be commit 339f4fe15e)
2003-01-02 19:25:28 +00:00
Jeremy Allison
ef8bd7c4f7 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6)
2002-12-20 20:21:31 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Andrew Bartlett
35ac9d287f Try to catch up on the code I've put into HEAD that should be in 3.0:
- vorlan's hosts allow with DNS names patch
 - use x_fileno() in debug.c, not the struct directly.
 - check for server timeout on password change (was reporting success)
 - better error/status loggin in both the pam_winbind client and winbindd_pam
server code.
 - (pdb_ldap) don't set the ldap version twice - we do it on every bind anyway.
(This used to be commit 9fa1863d8e)
2002-10-26 02:20:59 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
b10b3be01c Spelling.
(This used to be commit 423985ed56)
2002-04-07 23:41:55 +00:00
Andrew Bartlett
657a24f476 Various winbind updates:
- pam_winbind updates from vance, fixing a typo and making some the options
  work properly.

- Extra parinoia in the winbind connection loop

- Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do).

- Fix up configure.in to use the same method for building the test .so
  as the Makefile uses.

Andrew Bartlett
(This used to be commit 8e705dd921)
2002-03-23 08:28:19 +00:00
Tim Potter
ab13654dc9 Renamed get_nt_error_msg() to nt_errstr().
(This used to be commit 1f007d3ed4)
2002-03-17 04:36:35 +00:00
Andrew Bartlett
e91e0a83af Winbind cleanup.
This patch fixes the segfaults I introduced in the previous conneciton caching
patch.  It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.

If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.

There is still a memory leak in here somewhere - but this code also cleans up a
number of these.

Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.

Andrew Bartlett
(This used to be commit 92cbefdf27)
2002-02-15 13:28:59 +00:00
Andrew Bartlett
14e6be4975 A few small winbind updates:
Add a connection cache to the netlogon pipe.  This makes a *massive* difference
to the time-per-auth.  Also fix up *some* of the memory leaks in other
connection caches.

Add some debugging messages for the is_connected() code.  I'm thinking we
should get a client implementation of SMBecho and call it here - as it would
allow us to always know the DC is around before we start.

Down the debug level for some of the pam_winbind code - I'll probably down it
further when I'm finished debugging.

Andrew Bartlett
(This used to be commit 49d3e47666)
2002-02-11 01:29:07 +00:00
Andrew Bartlett
e32177ea9d Fix up some of the DEBUG lines in winbind_pam.c
(This used to be commit dfc8883305)
2002-02-08 06:43:55 +00:00
Andrew Bartlett
ed389ee8dc Drastic impromvents to pam_winbind.
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.

In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.

Added code to wbinfo to display these - makes a big difference in debugging
winbindd.

The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)

Andrew Bartlett
(This used to be commit dc1a72f896)
2002-02-05 09:40:36 +00:00
Tim Potter
12b7f600a0 Removed unused variables.
(This used to be commit 703d06fee0)
2002-01-31 11:54:01 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Tim Potter
62ea16ae36 Fix for password change from Samuel Ziegler <sam@xpedion.com>
(This used to be commit 418bdd5919)
2002-01-30 03:23:40 +00:00