1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

115 Commits

Author SHA1 Message Date
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
60b6348244 s3-auth: rework default auth methods around the lp_server_role() parameter
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Andrew Bartlett
b9a75d8438 s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the default auth module list 2012-06-15 09:18:33 +02:00
Stefan Metzmacher
b4abd3faaf s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-05-15 08:18:28 +02:00
Andrew Bartlett
77602d877e s3-auth: Remove single-implementation plugin layer
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value.  Make it easier to follow by
just calling the function directly.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Andrew Bartlett
8a9b6fe26d s3-auth: Add a way to get an auth4_context from the auth stack
This will allow us to use the same layer that auth_ntlmssp does
in the non-SPNEGO session setup, which will in turn make the
authentication code more consistent in the AD server case.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e22b1b4f9e s3-auth re-create the auth context in the s3 ntlmssp server module
This removes the abstraction violation in auth_generic.c.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
7b1d6a6a05 selftest: test plugin_s4_dc against all ncacn_np tests
Changes to the s3 epmapper behaviour seem to have fixed the rest of these
tests.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
902df83680 s3-ntlmssp Split calls to gensec plugin into prepare and start
GENSEC has the concept of starting the GENSEC subsystem before starting the
actual mechansim.  Between these two stages is when most context methods
are called, to specify credentials and features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
6bcaba6f8a s3-auth Allow auth modules to provide an initialised GENSEC context
This will allow auth plugins such as auth_samba4 to provide an initialised
GENSEC context to auth subsystem callers.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:02 +10:00
Andreas Schneider
f97bdebbbe s3-auth: Fix account check over ncalrpc. 2011-07-13 14:09:35 +02:00
Stefan Metzmacher
ce751946dd s3:auth: remove unused variable
metze
2011-07-08 14:09:06 +02:00
Andreas Schneider
7e46a84bb7 s3-auth: Pass the remote_address down to user_info.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04 18:28:02 +10:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed.
Guenther
2011-03-30 01:13:09 +02:00
Volker Lendecke
6ee0d866c2 s3: Lift talloc_autofree_context() from make_auth_context_fixed() 2010-09-26 01:12:37 +02:00
Volker Lendecke
242e329610 s3: Lift talloc_autofree_context() from make_auth_context_subsystem() 2010-09-26 01:12:37 +02:00
Volker Lendecke
2d8be31e88 s3: Lift talloc_autofree_context() from make_auth_context_text_list() 2010-09-26 01:12:37 +02:00
Volker Lendecke
61861e4b7d s3: Lift talloc_autofree_context() from make_auth_context() 2010-09-26 01:12:37 +02:00
Volker Lendecke
177e394f93 s3: Pass the rhost through smb_pam_accountcheck 2010-08-22 22:42:21 +02:00
Volker Lendecke
265f0b7745 s3: Rename auth.c:backends to auth_backends 2010-08-22 22:42:21 +02:00
Andrew Bartlett
e66f6e715f s3:auth Whitespace fixes after auth merge 2010-08-14 11:58:13 +10:00
Andrew Bartlett
23994e1b53 s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.

In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-14 11:58:13 +10:00
Simo Sorce
e60ed80754 s3-auth: Simplify how we free the auth_context
Turn the freeing function into a destructor and attach it to the
auth_context.
Make all callers TALLOC_FREE() the auth_context instead of calling
the free function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 14:20:00 +10:00
Andrew Bartlett
fc956cfcbb s3:auth Rename user_info->domain -> user_info->mapped.domain_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
deabae191b s3:auth Rename user_info->client_domain -> user_info->client.domain_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
7a021df96d s3:auth Rename user_info->internal_username -> user_info->mapped.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
23159453d3 s3:auth Rename user_info->smb_name -> user_info->client.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
2010-06-07 23:34:28 +10:00
Andrew Bartlett
a6e07c22a3 s3:auth Rename wksta_name -> workstation_name in auth_usersupplied_info 2010-06-01 17:11:25 +10:00
Andrew Bartlett
468fb4fee4 s3:auth Make get_ntlm_challenge more like Samba4
This helps with the upcoming NTLMSSP merge, and allows errors to be returned.

Andrew Bartlett
2010-05-13 10:12:26 +10:00
Volker Lendecke
c5c40f2648 s3: Make "auth_context" its own talloc parent
Remove "mem_ctx" from "struct auth_context"
2010-04-11 13:53:19 +02:00
Jeremy Allison
9f0bdd4e17 Remove an unused talloc context.
Jeremy.
2009-07-16 18:12:17 -07:00
Volker Lendecke
a3127ea9d7 Fix some nonempty blank lines 2009-02-21 14:04:16 +01:00
Volker Lendecke
4aed9abbf8 Remove the static "chal" from ntlmssp.c:get_challenge() 2009-02-21 14:04:14 +01:00
Jeremy Allison
8b4b5c3a92 Add wrapper str_list_make_v3() to replace the old S3 behavior of
str_list_make(). From Dan Sledz <dan.sledz@isilon.com>:
In samba 3.2 passing NULL or an empty string returned NULL.
In master, it now returns a list of length 1 with the first string set
to NULL (an empty list).
Jeremy.
2008-11-06 18:53:00 -08:00
Jelmer Vernooij
218f482fbf Use common strlist implementation in Samba 3 and Samba 4. 2008-10-12 00:56:56 +02:00
Karolin Seeger
a8124367b4 Fix typos.
Karolin
(This used to be commit 6cee347035)
2008-04-09 16:14:04 +02:00
Volker Lendecke
2762b9a975 Always pass a TALLOC_CTX to str_list_make and str_list_copy
(This used to be commit e2c9fc4cf5)
2008-02-04 20:57:49 +01:00
Volker Lendecke
b47672656b tiny simplification
(This used to be commit 22e49ef2c0)
2008-02-04 19:41:04 +01:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Stefan Metzmacher
56ba447668 r22001: change prototype of dump_data(), so that it takes unsigned char * now,
which matches what samba4 has.

also fix all the callers to prevent compiler warnings

metze
(This used to be commit fa322f0cc9)
2007-10-10 12:18:59 -05:00
Volker Lendecke
c0e37a7496 r21870: Move sending auth_server keepalives out of the main loop into an idle event.
Volker
(This used to be commit 6226b30f38)
2007-10-10 12:18:41 -05:00
Stefan Metzmacher
258a465e20 r18605: sync dlinklist.h with samba4, that means DLIST_ADD_END()
and DLIST_DEMOTE() now take the type of the tmp pointer
not the tmp pointer itself anymore.

metze
(This used to be commit 2f58645b70)
2007-10-10 11:51:59 -05:00
Paul Green
31693197be r15283: Oh yeah. The build farm doesn't do much with head. OK, here is the patch to SAMBA_3_0 to declare prototypes for the initialization functions. These are the same changes I just made to head. --paulg
(This used to be commit 17774387ad)
2007-10-10 11:16:31 -05:00
Gerald Carter
2203bed32c r13576: This is the beginnings of moving the SAM_ACCOUNT data structure
to make full use of the new talloc() interface.  Discussed with Volker
and Jeremy.

* remove the internal mem_ctx and simply use the talloc()
  structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
  upcoming changes.  Groups will most likely be replaced with a
  'struct samg' in the future.

Note that there are now passbd API changes.  And for the most
part, the wrapper functions remain the same.

While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs.  The code also needs more testing under valgrind to
ensure it's not leaking memory.

But it's a start......
(This used to be commit 19b7593972)
2007-10-10 11:10:15 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00