summaryrefslogtreecommitdiff
path: root/source4/auth/session.c
AgeCommit message (Collapse)AuthorFilesLines
2015-01-12CVE-2014-8143:auth: Force talloc type of session_info pointer to matchAndrew Bartlett1-0/+5
This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-21dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett1-5/+39
This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-05-04auth-session: MIT doesn't have import/export cred yetSimo Sorce1-3/+5
For now let's just loose this functionality with the MIT build. gss_import/export_cred should be availa ble when MIT 1.11 is released and this code is used only in some proxy scenario. Not normally needed for common configurations.
2011-07-29s4-auth Move conversion of security_token to unix_token to authAndrew Bartlett1-1/+1
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-04-05auth: Move auth_session_info into IDLAndrew Bartlett1-27/+13
This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05s4-auth: Always talloc_zero() the struct auth_session_infoAndrew Bartlett1-1/+1
2011-02-10libcli/named_pipe_auth Change from 'info3' to auth_session_info_transportAndrew Bartlett1-0/+147
This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-17/+26
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-01-20s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett1-83/+29
This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-14s4-auth: fixed status return Andrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-auth Add function to obtain any user's session_info from a given LDBAndrew Bartlett1-0/+39
This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2011-01-14s4-auth use new dsdb_expand_nested_groups()Andrew Bartlett1-6/+6
This isn't quite as good as using tokenGroups, but that is only available for BASE searches, and this isn't how the all the callers work at the moment. Andrew Bartlett
2010-12-21s4-auth Ensure that we always copy across domain groupsAndrew Bartlett1-13/+13
Even if we can't calculate the local groups (because we don't have a local SAM to do it with) we still need to include the domain groups in the session_info token. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21s4-auth rework session_info handling not to require an auth contextAndrew Bartlett1-6/+7
This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21s4-auth Remove event context from privilage database handlingAndrew Bartlett1-1/+0
These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-21s4-auth Remove obsolete commentAndrew Bartlett1-7/+0
The code that this referred to went away in September with 7dbfeb0dc040889244a1110940af2d070f823374 Andrew Bartlett
2010-10-12libcli/security Add debug class to security_token_debug() et alAndrew Bartlett1-1/+1
This will allow it to replace functions in source3 that use debug classes. Andrew Bartlett
2010-09-27s4-auth: removed unused variable dom_sidAndrew Tridgell1-1/+1
2010-09-26s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell1-18/+0
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-08-18s4:auth Avoid doing database lookups for NT AUTHORITY usersAndrew Bartlett1-108/+116
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-1/+1
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-30s4:auth/session.c - suppress a warning when freeing "group_string"Matthias Dieter Wallnöfer1-3/+5
2010-06-30s4:auth/session.c - free "group_string" when not neededAnatoliy Atanasov1-1/+1
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-20Revert "Add old functionality back which was removed in commit 589a42e2."Wilco Baan Hofman1-15/+2
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f. Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20Add old functionality back which was removed in commit 589a42e2.Wilco Baan Hofman1-2/+15
Andrew, please review! Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-05-21s4:auth Remove un-needed headers.Andrew Bartlett1-2/+0
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett1-4/+3
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett1-5/+142
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett1-7/+6
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-11s4:auth Remove event context from anonymous_session()Andrew Bartlett1-112/+2
This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2009-01-21s4:auth: move make_server_info_netlogon_validation() function arroundStefan Metzmacher1-140/+0
metze
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-3/+3
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-08-28Heimdal provides Kerberos PAC parsing routines. Use them.Andrew Bartlett1-0/+3
This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
2008-08-08Clarify commentAndrew Bartlett1-2/+2
(This used to be commit 719941e929ddb6fea011fcc0c8c6b91c26e586af)
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-2/+6
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-5/+6
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2007-12-21r26264: pass name resolve order explicitly, use torture context for settings ↵Jelmer Vernooij1-2/+3
in dssync tests. (This used to be commit c7eae1c7842f9ff8b70cce9e5d6f3ebbbe78e83b)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-2/+3
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r26250: Avoid global_loadparm in a couple more places.Jelmer Vernooij1-4/+8
(This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
2007-12-21r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij1-0/+1
global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
2007-12-21r26127: Move session code out of auth_util.c. No longer making it part of ↵Jelmer Vernooij1-0/+328
auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)