IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.
Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.
Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
This is not used in other parts of source3, so this patch improves
modularity and isolation of features.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
tries to contact winbind if the user is a domain user to get
valid information about it. If winbind isn't running it will try to
create everything from the passwd struct. This is not always reliable
but works in most cases. It improves the current situation which doesn't
talk to winbind at all.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
First this function tries to contacts winbind if the user is a domain
user to get valid information about it. If winbind isn't running it will
try to create everything from the passwd struct. This is not always
reliable but works in most cases. It improves the current situation
which doesn't talk to winbind at all.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 16 03:18:00 CET 2013 on sn-devel-104
We now only lowercase the password, we do not attempt to find another case
combination that the password might be in.
This option is already depricated, so it is now time to remove it.
Andrew Bartlett
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 16 22:51:26 CEST 2013 on sn-devel-104
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
If we successfully map a user. We call
set_last_from_to(user_in, unixname);
in the while loop reading the map file. After a successfull map we don't
stop and continue the loop to check all other mappings in the username
mapfile. But when we hit the end of the file and leave the loop we call:
set_last_from_to(user_in, user_in);
This overwrites the successful mapping, and the next time we call
map_username() we skip the username and no mapping is done.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
s3: never try to map global SAM name
Do not treat the global SAM name as a BOGUS domain, and exempt
local users from mapping, instead. This change reinstates the
exact mapping behaviour of Samba 3.2 if parameter 'map untrusted
to domain' is set.
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
save some calls to lp_idmap_default_range(), calling it
once is enough
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Feb 5 19:14:25 CET 2013 on sn-devel-104
We also need to convert last_logon, last_logoff and acct_expiry
from unix time to nt time.
Otherwise a windows member server will reject clients
using CAP_DYNAMIC_REAUTH or smb2) with STATUS_NETWORK_SESSION_EXPIRED,
if the logoff and kickoff time is expired.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 1 18:42:42 CET 2013 on sn-devel-104
Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY
on talloc fail from other possible errors. Allow the NTSTATUS return
to be the only valid indication of success in these calls.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
Commit c5b150b33f introduced these checks.
The current check "found_username == NULL" is wrong (we would segfault earlier
in this case). We need to check *found_username == NULL instead as
noted by Günter.
Reported-by: Günter Kukkukk <linux@kukkukk.com>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is embarrassing: the commit 0770a4c01b
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
Commit 1c3c5e2156 which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.
This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.
This fixes bug #9457.
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
This function was created in 1c3c5e2156
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.
Signed-off-by: Michael Adam <obnox@samba.org>
All crypto is dealt with within the netlogon samlogon server now.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator
character is always added to the user name returned by Get_Pwnam_alloc() if it
does not contain the winbind separator character. As comments in the code
indicates this is done as a work around if 'winbind use default domain' is set
to yes in the samba configuration.
This make sense if the option is set because otherwise the domain information is
lost from the user name. But it causes errors if other services than winbind are
used for user lookup, e.g. sssd. sssd can handle different kind of fully
qualified user names as input, e.g. user@domain.name or DOM\user, but returns a
canonical name, by default user@domain.name.
While it would be possible to get around this issue with a special configuration
either on the sssd or samba side I think the cleaner solution is to use the work
around only if 'winbind use default domain' is set to yes which is what this
patch does.
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
When a user owns a file, but does not have specific permissions on that file, we need to
make up the user permissions. This change ensures that the first thing that we do
is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam()
and directly create the token via the SID.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
This was incorrect in commit 9dd7e7fc2d
as the RID was from the BUILTIN domain, but this creates a guest
account token for the real domain.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
This reverts commit 00089fd74a.
The issue with this patch, which I did sign off on, is that for the
domain member case, we already know that the SID is reasonable and
valid, and we indeed rely on that, because we keep it as an additonal
group anyway. The primary group is not so special that we need to do
extra validation.
Calling this function may put a user into the domain 'domain users'
group, even if they are not in that group to start with.
Andrew Bartlett
They use talloc_tos() internally: hoist that up to the callers, some
of whom don't want to us talloc_tos().
A simple patch, but hits a lot of files.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Because of the evolution in the way the auth handling has been done, we do not
need this code any more. Raw NTLM Session setup & X is done via the auth4 context
which returns a full session info.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 13 10:04:05 CEST 2012 on sn-devel-104
This boolean was only set if the old machine account store (with an
MD4 hash in it) was returned. We have not set that password type for
years. If this call ever worked, it would store a plaintext password,
so we could only ever be here if we had set a password using a version
of Samba so old as not to store plaintext, and then never honered the
flag anyway.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 13 07:52:40 CEST 2012 on sn-devel-104
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
This helps clarify the role of this structure and wrapper function.
The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions. This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system. If this has not been
set, the variables loaded in the lib/param code will be returned.
As requested by Michael Adam.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
We query only NSS to get the name of sec_initial_uid()
Signed-off-by: Andreas Schneider <asn@samba.org>
With the split up to handle system specially, there is no need for these
static helper functions any more.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
auth_netlogond was an important module in the development of the
combined Samba 4.0, and was the first module to link smbd with the AD
authentication store, showing that it was possible for NTLM
authentication to be offloaded to the AD server components.
We now have auth_samba4, which provides the full GENSEC stack to smbd,
which also matches exactly the group membership and privileges
assignment and which is supported and tested as part of the official
Samba 4.0 release configuration.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.
Andrew Bartlett
The SID for the SYSTEM token should be a fixed value, and not the
administrator. Note however that it will be replaced by the SID of
sec_initial_uid() by the create_local_token() code. Fixing this
requires fixes the other parts of the code that cannot cope with a
token of just SID_NT_SYSTEM.
Andrew Bartlett
This continues on from commit caaebb455c
which is marked as being part of bug #8944, ldapsam:trusted and ipasam
and an additional fix for bug #8567
(0528cb5f3a).
The problem here was that the primary_gid was simply the pointer result
of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on
the build farm).
Andrew Bartlett
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!
Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).
metze
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SERVER |
| security=server |
| |
| |
| 12 May |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed May 9 19:36:01 CEST 2012 on sn-devel-104
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid
internally.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
This is rather than just picking a random number out of the air.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Apr 30 11:29:34 CEST 2012 on sn-devel-104
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client)
will not select krb5.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The performance of these is minimal (these days) and they can return
invalid results when used as part of applications that do not use
sys_fork().
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption.
However, this was not done for trusted domain-related modifying operations.
As result, Samba 4 client libraries do not work against Samba 3 while working
against Windows 2008 r2.
Solved this by introducing "session_extract_session_key()" function that allows to specify
intent of use of the key.
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value. Make it easier to follow by
just calling the function directly.
Andrew Bartlett
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers. By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.
Andrew Bartlett
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
This will allow us to use the same layer that auth_ntlmssp does
in the non-SPNEGO session setup, which will in turn make the
authentication code more consistent in the AD server case.
Andrew Bartlett
This matches check_ntlm_password() and generate_session_info_pac()
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
