samba.git/source3/auth, branch v3-5-test Unnamed repository; edit this file 'description' to name the repository. Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain. 2012-08-23T18:26:01+00:00 Goldberg, Neil R ngoldber@mitre.org 2012-08-17T20:52:07+00:00 38444389c39d5c5adca1c9f300bded47407fd0b5 Back-port of fix for 3.6.x from bug #9052. 
Back-port of fix for 3.6.x from bug #9052.
Fix bug 8314] - smbd crash with unknown user. 2012-03-24T16:26:24+00:00 Jeremy Allison jra@samba.org 2011-07-22T23:40:54+00:00 c352832e2fadf1207cadef525bf21068f1d1ee1b All other auth modules code with being called with auth_method->private_data being NULL, make the auth_server module cope with this too. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Jul 23 02:55:01 CEST 2011 on sn-devel-104 (cherry picked from commit 1832c9591099be941ef3afe7b0381c4af61f4728) 
All other auth modules code with being called with
auth_method->private_data being NULL, make the auth_server
module cope with this too.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Jul 23 02:55:01 CEST 2011 on sn-devel-104
(cherry picked from commit 1832c9591099be941ef3afe7b0381c4af61f4728)
s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945) 2011-02-09T19:59:20+00:00 Günther Deschner gd@samba.org 2011-01-07T16:28:29+00:00 a5b388fc5ea81868f09590e8b7674826315c348c The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> (similar to commit f60398d7b20869d7b09d81854f3727fdcd897430) (similar to commit 7add712498fe93603b1bffff2c633e097ce8fbdf) 
The benefit of this that it makes us more robust to secure channel resets
triggered from tools outside the winbind process. Long term we need to have a
shared tdb secure channel store though as well.

Guenther

Signed-off-by: Stefan Metzmacher <metze@samba.org>

(similar to commit f60398d7b20869d7b09d81854f3727fdcd897430)
(similar to commit 7add712498fe93603b1bffff2c633e097ce8fbdf)
s3: Fix bug 7066 -- wbcAuthenticateEx gives unix times 2010-12-31T19:11:53+00:00 Volker Lendecke vl@samba.org 2010-12-18T15:02:09+00:00 993923880e213136de89b5b8d59f6f32a51b94b7 We might eventually want to change this, but right now we get unix times out of the winbind pipe struct 
We might eventually want to change this, but right now we get unix times
out of the winbind pipe struct
s3: Fix "force group" with ntlmssp guest session setup 2010-11-28T18:52:17+00:00 Volker Lendecke vl@samba.org 2010-11-13T17:03:25+00:00 56b1082fe436e1f99a87d3e37d9ea8b017353b39 This one is subtle: Set "force group = <somegroup>" together with "guest ok = yes". Then try "smbclient //server/share -U%". Works. Then try to connect to the same share from Windows 2003 using an anonymous connection. Breaks with make_connection: connection to share denied due to security descriptor although the share_info.tdb is empty. I've seen reports of this on the lists, but I could never ever nail it until a customer gave me access to such a box. What happens? With an empty share_info.tdb we create a security descriptor allow everything to the world. The problem with the above parameter combination is that S-1-1-0 (World) is lost in the token. When you look at the callers of create_local_token, they are only called if the preceding check_ntlm_password did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if we get a NTLMSSP session setup with user="", domain="", pass="" we call create_local_token even though check_guest_security() via make_server_info_guest() has already correctly done so. In this case create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the primary group sid of the user logging in. "force group" then overwrites this -> the world is gone -> "denied due to security descriptor". Why don't you see it with smbclient -U% (anonymous connection)? smbclient does not use ntlmssp for anon session setup. This seems not to happen to 3.6. Volker Fix bug #7817 ("force group" broken). 
This one is subtle: Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with

make_connection: connection to share denied due to security descriptor

although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.

What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".

Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.

This seems not to happen to 3.6.

Volker

Fix bug #7817 ("force group" broken).
Fix bug #7743 - Inconsistent use of system name lookup can cause a domain joined machine to fail to find users. 2010-11-11T11:10:56+00:00 Jeremy Allison jra@samba.org 2010-10-20T18:22:57+00:00 6e9d95f753b2b127268f1eb9a40d601002484bd1 Ensure all username lookups go through Get_Pwnam_alloc(), which is the correct wrapper function. We were using it *some* of the time anyway, so this just makes us properly consistent. Jeremy. 
Ensure all username lookups go through Get_Pwnam_alloc(), which is the
correct wrapper function. We were using it *some* of the time anyway,
so this just makes us properly consistent.

Jeremy.
s3-auth: in make_user_info_for_reply_enc make sure to check length and data pointer of nt and lm hash. 2010-06-16T14:12:00+00:00 Günther Deschner gd@samba.org 2010-06-16T12:18:45+00:00 a95df865d474b0ba59ad95dcb8c20c923c66f4ba This fixes kernel cifs client with sec=ntlmv2. Guenther (cherry picked from commit b4364add896d1657263a66c55d867d28bf5ceb1b) Fix bug #7517 (session setup from linux kernel cifs client fails with sec=ntlmv2). 
This fixes kernel cifs client with sec=ntlmv2.

Guenther
(cherry picked from commit b4364add896d1657263a66c55d867d28bf5ceb1b)

Fix bug #7517 (session setup from linux kernel cifs client fails with
sec=ntlmv2).
Fix bug #7448 - smbd crash when sambaLMPassword and sambaNTPassword entries missing from ldap. 2010-05-25T15:23:37+00:00 Roel van Meer rolek@bokxing.nl 2010-05-21T21:17:17+00:00 4c5a1b6b17b5575ea943eaf0472453222579365a Protect SMBsesskeygen_ntv1() from a NULL pointer. 
Protect SMBsesskeygen_ntv1() from a NULL pointer.
s3:auth: fix account unlock regression introduced with fix for bug #4347 2010-01-25T11:47:12+00:00 Michael Adam obnox@samba.org 2010-01-14T13:24:35+00:00 5eb9b66de0fd0adc59339a944f02f5fe25868568 By an oversight, the patchset for #4347 made the unlocking of a locked account after the lockout duration ineffective. Thanks to Björn for finding this! Michael 
By an oversight, the patchset for #4347 made the unlocking of a locked
account after the lockout duration ineffective.
Thanks to Björn for finding this!

Michael
s3:auth: don't update the bad pw count if pw is among last 2 history entries 2010-01-25T11:46:55+00:00 Michael Adam obnox@samba.org 2010-01-06T16:29:04+00:00 fcadc524779a50ee379fb4feb02448944dc174dc This conforms to the behaviour of Windows 2003: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx This is supposed to fixes Bug #4347 . Michael 
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

This is supposed to fixes Bug #4347 .

Michael