1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

30 Commits

Author SHA1 Message Date
Matthieu Patou
245b277749 s4: fix wrong index usage PRIMARY_USER_SID_INDEX when it should have been PRIMARY_GROUP_SID_INDEX
The system account was instanciated with wrong user an group SIDs, group
sid resulted being just the domain SID.
Bug seems to date from fbe6d155bf.

Andrew (B.) please check.
2011-06-19 23:21:08 +02:00
Matthias Dieter Wallnöfer
bd25bc133a s4:auth/system_session.c - check for OOM
Reviewed-by: Jelmer
2011-03-22 19:04:41 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
6f7423c7f1 s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
1961d7a411 s4-auth rework session_info handling not to require an auth context
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
2010-08-23 08:50:55 +10:00
Andrew Bartlett
23dc2e4244 s4:auth Change {anonymous,system}_session to use common session_info generation
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.

Andrew Bartlett
2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9 s4:auth Remove system_session_anon() from python bindings 2010-08-18 09:50:44 +10:00
Andrew Bartlett
a68a5592c5 s4:auth Remove the system:anonymous parameter used for the LDAP backend
This isn't needed any more, and just introduces complexity.
2010-08-18 09:50:44 +10:00
Andrew Bartlett
d99ff145ae s4:auth Remove special case constructor for admin_session()
There isn't a good reason why this code is duplicated.

Andrew Bartlett
2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Nadezhda Ivanova
ee56f74cae Fixed system_session_anon to actually make an anonymous session
It seems that because the flag is false, this always used the supplied credentials
rhather than establish anonymous connection.
2010-07-14 10:30:40 +03:00
Andrew Bartlett
82c97e0ab8 s4:auth Remove un-needed headers. 2010-05-21 16:38:44 +10:00
Andrew Bartlett
9c6b637ce8 s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.

In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.

This also takes more care to allocate the right length ptoken->sids

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
589a42e2da s4:auth Change auth_generate_session_info to take an auth context
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.

However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.

In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'.  This allows us to
use the auth_context in processing the authentication reply .

Andrew Bartlett
2010-04-14 10:30:51 +10:00
Andrew Bartlett
4e2384e242 s4:auth Allow the simple 'struct auth_session_info' generator for all users
This code isn't ideal, but it is better than needing to consult the
main SamDB in things like a torture test.

Andrew Bartlett
2010-04-14 10:28:35 +10:00
Andrew Bartlett
2c193fe91a s4:auth Remove event context from anonymous_session()
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.

Andrew Bartlett
2010-04-11 13:36:04 +10:00
Matthias Dieter Wallnöfer
e912d50709 s4:auth - make some parts "signed-safe"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-02-25 08:17:11 +11:00
Andrew Tridgell
98e4393df9 s4-dsdb: create a static system_session context
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
2009-10-23 14:52:17 +11:00
Nadezhda Ivanova
269fe99a62 Added "admin_session" method.
The purpose of admin_session is to be able to execute parts of provisioning
as the user Administrator in order to have the correct group and owner in the
security descriptors. To be used for provisioning and tests only.
2009-09-09 18:57:50 +10:00
Jelmer Vernooij
c537f7a914 Fix the build. 2008-11-02 05:49:36 +01:00
Andrew Bartlett
ed5ddabc43 Add documentation to session token functions.
(This used to be commit ec4a108d1d)
2008-04-24 13:30:36 +01:00
Jelmer Vernooij
a2cea02584 r26430: require explicit specification of loadparm context.
(This used to be commit 1b947fe0e6)
2007-12-21 05:49:58 +01:00
Jelmer Vernooij
43696d2752 r26252: Specify loadparm_context explicitly when creating sessions.
(This used to be commit 7280c1e941)
2007-12-21 05:47:29 +01:00
Jelmer Vernooij
934e932387 r26235: Avoid global_loadparm.
(This used to be commit e903978220)
2007-12-21 05:47:13 +01:00
Jelmer Vernooij
7e298580e0 r26234: More global_loadparm fixes.
(This used to be commit 84892d030d)
2007-12-21 05:47:12 +01:00
Jelmer Vernooij
55f333ae2d r26134: Avoid using samdb-dependent functions in auth_system_session.
(This used to be commit 29c1c96fe0)
2007-12-21 05:46:16 +01:00
Jelmer Vernooij
4340fc2d9e r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step.
(This used to be commit b3fcb8e810)
2007-12-21 05:46:14 +01:00