samba.git/auth/gensec, branch master Unnamed repository; edit this file 'description' to name the repository. auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update() 2014-12-19T12:15:13+00:00 Stefan Metzmacher metze@samba.org 2014-12-16T21:49:05+00:00 153938a1f2a06fec5b2f7daef12200a504fb92f4 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required 2014-12-19T12:15:13+00:00 Stefan Metzmacher metze@samba.org 2014-12-17T18:42:55+00:00 6ec32d7e127d48c708a53850ad99079fac0dad8e Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL backend arround, this can only be specified explicitely by the caller and cli_credentials_get_netlogon_creds() != NULL is the strong indication that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*. With trusts against AD domain we can reliable use kerberos and netlogon secure channel for authentication. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth: gensec: asn1 fixes - check all returns. 2014-09-25T22:51:16+00:00 Jeremy Allison jra@samba.org 2014-09-19T19:41:22+00:00 4dba8fd59982e5459c4275aaf434f6d564fcf79d Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> 
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend 2014-04-24T09:21:05+00:00 Andreas Schneider asn@samba.org 2014-04-16T13:21:40+00:00 788f72f8ebf8e300237cae3c4863586e38301a62 Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
auth/gensec: use auth_ctx->generate_session_info() for schannel 2014-04-24T09:21:05+00:00 Stefan Metzmacher metze@samba.org 2014-04-23T16:59:52+00:00 fc59cc31024598599a2f1c9d73b8fa43a408ced2 This way we generate a correct session info for the s3 rpc_server, including a unix token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This way we generate a correct session info for the s3 rpc_server,
including a unix token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
auth: Pass though error from GENSEC sub-mechanism 2014-04-02T15:12:45+00:00 Andrew Bartlett abartlet@samba.org 2013-11-25T01:08:38+00:00 c3baddf271b9d09819aff4ce05314f940c6f1e4d This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).

Andrew Bartlett

Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILURE 2014-03-27T01:34:36+00:00 Stefan Metzmacher metze@samba.org 2013-08-28T04:49:26+00:00 01c029993c7111dc3287118f69184c399b4aaace This is what NTLMSSP also gives. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104 
This is what NTLMSSP also gives.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
auth/gensec: remove tevent_context argument from gensec_update() 2014-03-26T23:36:32+00:00 Stefan Metzmacher metze@samba.org 2013-12-13T18:56:13+00:00 2103c373b44871810197fa8e423f55a659a8b89d Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: make use of gensec_update_ev() in spnego.c 2014-03-26T23:36:31+00:00 Stefan Metzmacher metze@samba.org 2013-12-13T19:05:11+00:00 b2b239a854110893669d4802b2cc2e52327dac1c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: add a gensec_update_ev() function 2014-03-26T23:36:31+00:00 Stefan Metzmacher metze@samba.org 2013-12-13T18:18:48+00:00 79f5275db2c1acd5adaee187c3953fbc5e2aff6c This is the current gensec_update() which takes an optional tevent_context structure and allows semi-async code. This is just a temporary solution on the way to kill the semi-async code completely, by using gensec_update_send/recv. By providing a gensec_update_ev(), we can remove the explicit tevent_context from gensec_update() and fix all the sane callers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This is the current gensec_update() which takes an optional
tevent_context structure and allows semi-async code.

This is just a temporary solution on the way to kill
the semi-async code completely, by using gensec_update_send/recv.

By providing a gensec_update_ev(), we can remove the explicit
tevent_context from gensec_update() and fix all the sane callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>