summaryrefslogtreecommitdiffstats
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()Alexander Bokovoy2012-06-061-2/+18
| | | | | | | | | | | | | | gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
* auth/credentials: 'workgroup' set via command line will not drop existing ccacheAlexander Bokovoy2012-05-242-13/+7
| | | | | | | | | | The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear.
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-1/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-credentials: Support using pre-fetched ccache when obtaining kerberos ↵Alexander Bokovoy2012-05-231-2/+12
| | | | | | | | | credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
* auth and s4-rpc_server: Do not use features we currently can't implement ↵Simo Sorce2012-05-231-1/+4
| | | | with MIT Kerbros build
* auth/gensec: implement gensec_spnego_expire_time()Stefan Metzmacher2012-05-171-0/+12
| | | | metze
* auth/gensec: add gensec_expire_time()Stefan Metzmacher2012-05-172-0/+12
| | | | metze
* s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.Andreas Schneider2012-05-041-2/+2
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-253-1/+3
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* Make krb5 wrapper library common so they can be used all overSimo Sorce2012-04-234-4/+56
|
* srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce2012-04-121-1/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-124-11/+78
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Make functions static.Simo Sorce2012-04-123-100/+2
| | | | | | | The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Use simpler method to extract keytype.Simo Sorce2012-04-121-19/+12
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-124-21/+47
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove dependency on credentials too.Simo Sorce2012-04-121-3/+6
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce2012-04-121-3/+13
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move keytab functions in a separate file.Simo Sorce2012-04-122-2/+3
| | | | | | Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move function into more appropriate header.Simo Sorce2012-04-121-8/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.Simo Sorce2012-04-122-2/+4
| | | | | | It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Make impersonate_principal_from_credentials static.Simo Sorce2012-04-121-6/+0
| | | | | | It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
* gensec_gssapi: keep private header file close to the actual codeSimo Sorce2012-04-121-70/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse ↵Stefan Metzmacher2012-03-151-1/+1
| | | | | | | | | code anymore metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
* auth/ntlmssp: Remove reference to struct ntlmssp_stateAndrew Bartlett2012-03-091-6/+1
|
* auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_stateAndrew Bartlett2012-03-094-8/+5
| | | | | | This just means there is one less pointer to ensure we initialise. Andrew Bartlett
* auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key typeAndrew Bartlett2012-03-081-4/+23
| | | | | | | | | | The key type OID is optional, but we require that information to determine if we should use NEW_SPNEGO. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
* auth/kerberos: Ensure we do not print invalid memory in failure caseAndrew Bartlett2012-03-081-4/+1
| | | | | | This codeblock may not have any set->elements, so we should not print them. Copy&paste in the original code. Andrew Bartlett
* auth: Remove plugable password-check functions from gensec_ntlmsspAndrew Bartlett2012-02-245-228/+105
| | | | | | The auth4_context layer now provides the plugability here. Andrew Bartlett
* auth: consolidate gensec_ntlmssp_server wrapper functionsAndrew Bartlett2012-02-242-50/+18
|
* s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-sideAndrew Bartlett2012-02-242-0/+13
| | | | | | | This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
* auth: Rename some elements of auth4_contextAndrew Bartlett2012-02-242-17/+17
| | | | | | These operate on NTLM authentication, so make that clear. Andrew Bartlett
* auth: Reorder arguments to generate_session_infoAndrew Bartlett2012-02-182-3/+3
| | | | | | | | | This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
* auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3Andrew Bartlett2012-02-172-2/+13
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
* auth: Make more of the ntlmssp code private or staticAndrew Bartlett2012-02-173-96/+64
| | | | | | | | | | Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: Provide a way to specify the NTLMSSP server name to GENSECAndrew Bartlett2012-02-172-17/+40
| | | | | | | | | This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: Rearrange ntlmssp code for clarityAndrew Bartlett2012-02-171-9/+8
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: Set NTLMSSP_NEGOTIATE_SIGN when session key support is requiredAndrew Bartlett2012-02-171-0/+3
| | | | | | | | This matches the s3 NTLMSSP server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_serverAndrew Bartlett2012-02-172-4/+11
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Use common gensec_ntlmssp server functions for more of ↵Andrew Bartlett2012-02-172-7/+47
| | | | | | | | | | | gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett2012-02-171-0/+4
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: Cope with NO_USER_SESSION_KEY from security=serverAndrew Bartlett2012-02-171-2/+8
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: Move the rest of the source4 gensec_ntlmssp code to the top levelAndrew Bartlett2012-02-176-2/+1099
| | | | | | | | | | The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett2012-02-171-3/+0
| | | | | | | | | | | | | | auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett2012-02-171-0/+113
| | | | | | | | | gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
* auth: Pass in the SMB username (for %U) into generate_session_infoAndrew Bartlett2012-02-131-0/+1
| | | | | | | | | This matches what Samba3 does. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
* gensec: explain gensec_use_kerberos_mechs() logicAndrew Bartlett2012-02-101-1/+16
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
* gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechsAndrew Bartlett2012-02-101-1/+5
| | | | | | | | | This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett
* Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"Andrew Bartlett2012-02-101-2/+1
| | | | | | | | | This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett
* credentials: Show returned error_string in debug messageAndrew Bartlett2012-02-101-2/+2
|
* gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke2012-02-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
generated by cgit (git 2.34.1) at 2024-12-29 10:53:02 +0000