samba.git/source4/auth, branch talloc-2.3.4 Unnamed repository; edit this file 'description' to name the repository. s4-auth: Remove last traces of LanMan authentiation support in the AD DC. 2022-03-29T03:32:57+00:00 Andrew Bartlett abartlet@samba.org 2022-03-24T23:18:01+00:00 d7a91a855c7edfb0e09c93cbe4c56df0437fa467 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184
s4-auth: Only build auth_developer module in developer mode 2022-03-29T02:33:34+00:00 Andrew Bartlett abartlet@samba.org 2022-03-23T02:10:23+00:00 86f7e4e69059e77c35f451919365685d909024af This is a silly module for provoking NTSTATUS replies for testing and was useful many moons ago for determining the NTSTATUS -> DOS table that windows uses. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This is a silly module for provoking NTSTATUS replies for testing and
was useful many moons ago for determining the NTSTATUS -> DOS table that
windows uses.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4-auth: Do not trigger RODC replication unless missing all passwords 2022-03-29T02:33:34+00:00 Andrew Bartlett abartlet@samba.org 2022-03-16T03:27:54+00:00 360bb864e9a958c395f841bdc8caf866f8dcb0e0 With the NT hash becoming optional we cannot make blind assumptions that a missing value means we are on an RODC needing the password replicated. Instead, check for supplementalCredentials as well. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.

Instead, check for supplementalCredentials as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4-auth: Remove unused acct_flags parameter 2022-03-29T02:33:34+00:00 Andrew Bartlett abartlet@samba.org 2022-03-16T02:19:54+00:00 1884bc11f0115078113253d48be684c32cb3c5f9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:auth: Disable NTLM authentication for Protected Users 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-01T08:08:44+00:00 16a7ce0cdfb8acba782436066cc8383900ef7e93 We also move the authentication to after checking whether the user is protected, so that if a user in the Protected Users group tries to authenticate with a wrong password, the bag password count is not incremented and the account is not locked out. This does not match MS-APDS, but matches the behaviour of Windows. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-10T05:58:52+00:00 f161e3f18f07595208454dea8675553d27dd1183 This means Samba will essentially ignore this attribute, not even attempting to read it from the AD DC sam.ldb Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4-auth: Do not supply the LM hash to the AD DC authentication code 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-10T05:19:50+00:00 6aaa12456308204a659e3dce2b9049f00d55244a This still passes in the value in the LM field for checking in case it is an NT response or LMv2. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes" 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-10T05:15:58+00:00 2dbc8b98435bd2dde93830a0aaa07053eda75bc6 LM authentication is very weak and a very bad idea, so has been deprecated since Samba 4.11. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names 2022-03-10T04:10:54+00:00 Stefan Metzmacher metze@samba.org 2022-03-03T10:10:00+00:00 40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86 authenticate_ldap_simple_bind*() needs to pass the result of the cracknames operation into the auth stack as user_info->client.{account,domain}_name, because user_info->client.{account,domain}_name is also used when forwarding the request via netrLogonSamLogon* to a remote server, for exactly that the values are also used in order to map a AUTH_PASSWORD_PLAIN into AUTH_PASSWORD_RESPONSE, where the NTLMv2 response contains the account and domain names passed in the netr_IdentityInfo value. Otherwise it would not be possible to forward the LDAP simple bind authentication request to a remote DC. Currently this only applies to an RODC that forwards the request to an RWDC. But note that LDAP simple binds (as on Windows) only work for users in the DCs forest, as the DsCrackNames need to work and it can't work for users of remote forests. I tested that in a DC of a forest root domain, if rejected the LDAP simple bind against a different forest, but allowed it for a users of a child domain in the same forest. The NTLMSSP bind worked in both cases. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184 
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.

Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.

Currently this only applies to an RODC that forwards
the request to an RWDC.

But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
s4:auth: rename user_info->mapped_state to user_info->cracknames_called 2022-03-10T03:16:35+00:00 Stefan Metzmacher metze@samba.org 2022-03-03T10:10:00+00:00 427125d182252d8aee3dd906ee34a909cdbb8ef3 This makes it much clearer what it is used for and it is a special hack for authenticate_ldap_simple_bind_send() in order to avoid some additional work in authsam_check_password_internals(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>