1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

48 Commits

Author SHA1 Message Date
Stefan Metzmacher
f513c20ee0 s3:secrets: remove unused secrets_store_[prev_]machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
5f0038fba6 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.

We keep storing the legacy values:
 SECRETS/SID/
 SECRETS/DOMGUID/
 SECRETS/MACHINE_LAST_CHANGE_TIME/
 SECRETS/MACHINE_PASSWORD/
 SECRETS/MACHINE_PASSWORD.PREV/
 SECRETS/SALTING_PRINCIPAL/DES/

This allows downgrades to older Samba versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
dfaadc8192 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Stefan Metzmacher
fde4af1c32 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Stefan Metzmacher
cd1e888773 s3:secrets: rename secrets_delete() to secrets_delete_entry()
secrets_delete_entry() fails if the key doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Stefan Metzmacher
99013685a1 s3:secrets: add some const to secrets_store_domain_guid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Stefan Metzmacher
504b446d8d s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Christof Schmitt
487119d741 secrets: Add function to fetch only password change timestamp
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-01 10:55:21 +02:00
Volker Lendecke
d699e1db80 lib: Remove "use_ntdb" param from secrets_init_path
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:51 +01:00
Richard Sharpe
9077fc79d4 Remove an unused function call.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Feb 13 23:29:54 CET 2015 on sn-devel-104
2015-02-13 23:29:53 +01:00
Andrew Bartlett
a0105b84b8 secrets: Ensure we store the secureChannelType when written to secrets.ldb
This will allow winbindd to know when we are an RODC
without needing to dig into sam.ldb.

Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andrew Bartlett
708ce41b32 s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
secrets_tdb_sync will be a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.

While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
4b61c4891a s3-secrets: Use C99 types 2012-07-15 11:49:29 +10:00
Andrew Bartlett
a431f80457 s3-secrets: Remove unused secrets_delete_generic()
Found by callcatcher.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 09:01:15 CET 2012 on sn-devel-104
2012-02-18 09:01:15 +01:00
Andrew Bartlett
2d02b5e939 s3-secrets: Remove unused secrets_delete_machine_password()
Found by callcatcher.

Andrew Bartlett
2012-02-18 07:28:07 +01:00
Simo Sorce
e6c39a292c s3-pdb: Break SECRETS3 dependency on PDB.
This is causing circular depdnendcies that bring libpdb in all code and this is
BAD.

This change 'protects' the sid and guid of the domain by adding a special key
that makes them effectively read only.

Limit this temporarily to the samba 4 build, once it gets some good testing the
samba4 ifdefs can be dropped.

fix pdb dependencies

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-01-27 18:11:10 +01:00
Günther Deschner
e75c436fe6 s3-passdb: trying to decouple passdb and secrets a little.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Jan 18 14:46:18 CET 2012 on sn-devel-104
2012-01-18 14:46:18 +01:00
Amitay Isaacs
08ccc6ed51 passdb: Add a function to read secrets db from a specified path
This allows to load secrets db from a different location. The original
secrets_init() now calls secrets_init_path() with lp_private_dir().
2011-08-13 10:25:06 +10:00
Günther Deschner
51481c5912 s3-secrets: add lsa_secret passdb api.
Guenther
2011-07-31 22:37:26 +02:00
Günther Deschner
235f148590 s3-passdb: use passdb headers where needed.
Guenther
2011-03-30 01:13:08 +02:00
Volker Lendecke
d515c6cd5c s3: Fix auth_netlogond to cope with netlogon_creds_CredentialState
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Feb  6 17:30:48 CET 2011 on sn-devel-104
2011-02-06 17:30:48 +01:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Matthieu Patou
57ab910b6f s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
 previous password key when the password is changed. It also check the
 user ticket against previous password.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-06-02 14:32:23 +02:00
Andrew Bartlett
cba7f8b827 s3:dom_sid Global replace of DOM_SID with struct dom_sid
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 10:39:59 +02:00
Simo Sorce
3b12c38ac0 s3:schannel streamline interface
Make calling schannel much easier by removing the need to explicitly open the
database. Let the abstraction do it instead.
2010-02-23 12:46:50 -05:00
Günther Deschner
184afaa04c s3-secrets: use autogenerated code for TRUSTED_DOM_PASS struct parsing from a tdb.
Guenther
2009-10-29 10:49:39 +01:00
Volker Lendecke
f3ba7fc0b9 Store a local schannel key in secrets.tdb 2008-10-06 09:54:16 +02:00
Andrew Tridgell
153cfb9c83 r23801: The FSF has moved around a lot. This fixes their Mass Ave address.
(This used to be commit 87c91e4362)
2007-10-10 12:28:27 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
f56da0890f r21831: Back out r21823 for a while, this is going into a bzr tree first.
Volker
(This used to be commit fd0ee6722d)
2007-10-10 12:18:37 -05:00
Volker Lendecke
aa6055debd r21823: Let secrets_store_machine_password() also store the account name. Not used
yet, the next step will be a secrets_fetch_machine_account() function that
also pulls the account name to be used in the appropriate places.

Volker
(This used to be commit f94e5af72e)
2007-10-10 12:18:36 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Jeremy Allison
e127501d45 r10792: Fix the "schannel not stored across client disconnects" problem.
Based on the Samba4 solution - stores data in
$samba/private/schannel_store.tdb.
This tdb is not left open but open and closed on demand.
Jeremy.
(This used to be commit a6d8a4b1ff)
2007-10-10 11:04:54 -05:00
Jeremy Allison
0772ddbae1 r3377: Merge in first part of modified patch from Nalin Dahyabhai <nalin@redhat.com>
for bug #1717.The rest of the code needed to call this patch has not yet been
checked in (that's my next task). This has not yet been tested - I'll do this
once the rest of the patch is integrated.
Jeremy.
(This used to be commit 7565019286)
2007-10-10 10:53:05 -05:00
Volker Lendecke
1c38391c70 Nobody complained on the team-list, so commit it ...
This implements some kind of improved AFS support for Samba on Linux with
OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have
OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile
into secrets.tdb with 'net afskey'. If this is done, on each tree connect
smbd creates a Kerberos V4 ticket suitable for use by the AFS client and
gives it to the kernel via the AFS syscall. This is meant to be very
light-weight, so I did not link in a whole lot of libraries to be more
platform-independent using the ka_SetToken function call.

Volker
(This used to be commit 5775690ee8)
2003-09-07 16:36:13 +00:00
Andrew Bartlett
4f0381bb96 Start merging mimir's trusted domain code from HEAD to 3.0. (for HEAD trusting
NT).
(This used to be commit 76cd4a8901)
2003-04-22 12:13:13 +00:00
Andrew Bartlett
f071020f5e Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
(This used to be commit 876e00fd11)
2003-04-21 14:09:03 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
9195f34e4a Moved definition of winbind username/password secrets into secrets.h
(This used to be commit b618b5943d)
2002-04-10 00:35:00 +00:00
Andrew Bartlett
76864bb3f1 Missing include file update for the secrets.c trustdom changes
(This used to be commit e3585e3c2c)
2002-03-02 05:23:06 +00:00
Andrew Bartlett
75de5a5dfa The beginning of trusted and trusting domain support from
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>

This adds the 'net' tools to manipulate the trusted domains.

Andrew Bartlett
(This used to be commit 770c8a31d9)
2002-03-01 02:56:35 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Andrew Tridgell
ad2974cd05 added "net join" command
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee90)
2001-11-24 14:16:41 +00:00
Tim Potter
33fb598731 Added copyright and include guards.
(This used to be commit 9efa93556e)
2001-10-02 03:43:26 +00:00
Matthew Chapman
badb7fc0d2 Fixed LsaQueryInformationPolicy level 3 to return primary domain info.
Domain SID is saved in secrets.tdb upon joining domain.

Added "Authenticated Users" and "SYSTEM" well-known SIDs (under
NT Authority).
(This used to be commit 7710b4f48d)
2000-05-29 01:23:48 +00:00
Andrew Tridgell
2958dfcdf8 added secrets.tdb and changed storage of trust account password to use
it
(This used to be commit 88ad00b82a)
2000-05-08 10:42:21 +00:00