summaryrefslogtreecommitdiffstats
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* Fix the O3 developer buildVolker Lendecke2015-03-031-2/+4
| | | | | | | | | | Different gcc versions complain at different places Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
* auth/credentials_krb5: fix memory leak in ↵Günther Deschner2015-01-261-0/+2
| | | | | | | | | | | | cli_credentials_failed_kerberos_login(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104
* auth/credentials: add cli_credentials_set_utf16_password()Stefan Metzmacher2014-12-193-6/+65
| | | | | | | | | | | | | | We need a way to initialize the cli_credentials from the raw utf16 blob, which might not be completely valid utf16, which means the conversion from CH_UTF16MUNGED to CH_UTF8 might loose information. This would result in an invalid nt_hash, when we convert back from CH_UTF8 to CH_UTF16LE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()Stefan Metzmacher2014-12-191-17/+10
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if requiredStefan Metzmacher2014-12-191-0/+8
| | | | | | | | | | | | | Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL backend arround, this can only be specified explicitely by the caller and cli_credentials_get_netlogon_creds() != NULL is the strong indication that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*. With trusts against AD domain we can reliable use kerberos and netlogon secure channel for authentication. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials test: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-20/+14
| | | | | | Change-Id: I8970c66de9535cb8d48b17d88b2759b7d1e39cb8 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove unused imports.Jelmer Vernooij2014-11-191-7/+1
| | | | | | Change-Id: I8915f62206edb53ffc2d89434e46d9e71db8bb9a Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: add missing includes to auth/wbc_auth_util.cStefan Metzmacher2014-11-141-0/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/credentials: Ensure that we set the realm when reading secrets.tdbAndrew Bartlett2014-10-171-0/+3
| | | | | | | | | | Otherwise, we try and kinit as host$@DOMAIN and that will not work. Andrew Bartlett Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Allow the secret.tdb handle to be passed in to ↵Andrew Bartlett2014-10-172-13/+64
| | | | | | | | | | | | cli_credentials_set_machine_account() This adds a new wrapper, cli_credentials_set_machine_account_db_ctx() Andrew Bartlett Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Improve error message on failure to set machine account passwordAndrew Bartlett2014-10-171-4/+6
| | | | | | Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Set secure_channel_type from secrets.tdb in ↵Andrew Bartlett2014-10-171-0/+13
| | | | | | | | | | | | | cli_credentials_set_machine_account This should ensure more parts of the source4 code can work with a password set in secrets.tdb. Andrew Bartlett Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Allow the secrets.tdb password to be newer than the secrets.ldb ↵Andrew Bartlett2014-09-271-0/+2
| | | | | | | | password Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: gensec: asn1 fixes - check all returns.Jeremy Allison2014-09-261-5/+6
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
* auth/credentials_krb5: silence a build warning.Günther Deschner2014-08-081-0/+2
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials-krb5: use get_kerberos_allowed_etypes().Günther Deschner2014-08-081-6/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-1/+1
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-1/+5
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: avoid overwriting the auth_sam_reply.h header all the time.Günther Deschner2014-05-122-1/+8
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon May 12 17:49:46 CEST 2014 on sn-devel-104
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backendAndreas Schneider2014-04-242-0/+293
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: use auth_ctx->generate_session_info() for schannelStefan Metzmacher2014-04-241-3/+46
| | | | | | | | This way we generate a correct session info for the s3 rpc_server, including a unix token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top levelAndrew Bartlett2014-04-182-1/+226
| | | | | | | | | This allows auth_winbind in source4 to use this more correct conversion routine. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Pass though error from GENSEC sub-mechanismAndrew Bartlett2014-04-021-1/+1
| | | | | | | | | | | This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/kerberos: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/tests: add missing #include "torture/local/proto.h"Stefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILUREStefan Metzmacher2014-03-271-1/+1
| | | | | | | | | | This is what NTLMSSP also gives. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-272-4/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make use of gensec_update_ev() in spnego.cStefan Metzmacher2014-03-271-8/+8
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add a gensec_update_ev() functionStefan Metzmacher2014-03-272-14/+27
| | | | | | | | | | | | | | This is the current gensec_update() which takes an optional tevent_context structure and allows semi-async code. This is just a temporary solution on the way to kill the semi-async code completely, by using gensec_update_send/recv. By providing a gensec_update_ev(), we can remove the explicit tevent_context from gensec_update() and fix all the sane callers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: fix gensec_update() with ev == NULL.Stefan Metzmacher2014-03-271-0/+32
| | | | | | | | | | | In future we should remove the tevent_context argument from gensec_update() completely! If we have sane backends we should also remove the tevent_loop_allow_nesting() call again! t Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: fix a typo.Günther Deschner2014-03-121-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-3/+12
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: only include "librpc/gen_ndr/dcerpc.h"Stefan Metzmacher2014-02-132-2/+2
| | | | | | | We only need some DCERPC_ defines. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* dbwrap: add dbwrap_flags argument to dbwrap_local_open()Michael Adam2014-02-071-1/+2
| | | | | | | | To be consistent with db_open() and prepare for future possible extensions. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.cStefan Metzmacher2014-01-071-10/+46
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: move libcli/auth/schannel_sign.c into schannel.cStefan Metzmacher2014-01-071-0/+380
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is always supportedStefan Metzmacher2014-01-071-0/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:credentials: avoid talloc_reference in cli_credentials_set_netlogon_creds()Stefan Metzmacher2013-10-161-1/+5
| | | | | | | | | | | | | Typically cli_credentials_set_netlogon_creds() should be used directly before the DCERPC bind. And cli_credentials_get_netlogon_creds() should be only used by the gensec layer, which only needs a copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 16 23:56:01 CEST 2013 on sn-devel-104
* auth: fix space/tab mixup in cli_credentials_get_password()Michael Adam2013-09-201-2/+2
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gensec: check for NULL gensec_security in gensec_security_by_auth_type().Günther Deschner2013-09-191-2/+4
| | | | | | | | | | We have equivalent checks in other gensec_security_by_X calls already. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: remove duplicate gensec_security_by_authtype() call.Günther Deschner2013-09-191-27/+2
| | | | | | | | | | | We should use the equivalent gensec_security_by_auth_type() call which is exposed in the public header. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: move schannel module to toplevel.Günther Deschner2013-09-192-0/+338
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Add SASL/EXTERNAL gensec moduleHoward Chu2013-09-183-1/+91
| | | | | | Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* Prepare for SASL/EXTERNAL supportHoward Chu2013-09-181-0/+8
| | | | | | Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()Andrew Bartlett2013-09-165-0/+60
| | | | | | | | | | This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* gensec: Fix CID 1063258 Uninitialized scalar variableVolker Lendecke2013-08-191-0/+1
| | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: make sure cli_credentials_get_nt_hash() always returns a ↵Stefan Metzmacher2013-08-122-7/+16
| | | | | | | | talloc object Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher2013-08-103-34/+40
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: use 'const char * const *' for function parametersStefan Metzmacher2013-08-103-3/+3
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2024-06-16 15:59:04 +0000