summaryrefslogtreecommitdiffstats
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-1/+1
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-1/+5
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: avoid overwriting the auth_sam_reply.h header all the time.Günther Deschner2014-05-122-1/+8
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon May 12 17:49:46 CEST 2014 on sn-devel-104
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backendAndreas Schneider2014-04-242-0/+293
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: use auth_ctx->generate_session_info() for schannelStefan Metzmacher2014-04-241-3/+46
| | | | | | | | This way we generate a correct session info for the s3 rpc_server, including a unix token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top levelAndrew Bartlett2014-04-182-1/+226
| | | | | | | | | This allows auth_winbind in source4 to use this more correct conversion routine. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Pass though error from GENSEC sub-mechanismAndrew Bartlett2014-04-021-1/+1
| | | | | | | | | | | This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/kerberos: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/tests: add missing #include "torture/local/proto.h"Stefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILUREStefan Metzmacher2014-03-271-1/+1
| | | | | | | | | | This is what NTLMSSP also gives. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-272-4/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make use of gensec_update_ev() in spnego.cStefan Metzmacher2014-03-271-8/+8
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add a gensec_update_ev() functionStefan Metzmacher2014-03-272-14/+27
| | | | | | | | | | | | | | This is the current gensec_update() which takes an optional tevent_context structure and allows semi-async code. This is just a temporary solution on the way to kill the semi-async code completely, by using gensec_update_send/recv. By providing a gensec_update_ev(), we can remove the explicit tevent_context from gensec_update() and fix all the sane callers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: fix gensec_update() with ev == NULL.Stefan Metzmacher2014-03-271-0/+32
| | | | | | | | | | | In future we should remove the tevent_context argument from gensec_update() completely! If we have sane backends we should also remove the tevent_loop_allow_nesting() call again! t Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: fix a typo.Günther Deschner2014-03-121-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-3/+12
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: only include "librpc/gen_ndr/dcerpc.h"Stefan Metzmacher2014-02-132-2/+2
| | | | | | | We only need some DCERPC_ defines. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* dbwrap: add dbwrap_flags argument to dbwrap_local_open()Michael Adam2014-02-071-1/+2
| | | | | | | | To be consistent with db_open() and prepare for future possible extensions. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.cStefan Metzmacher2014-01-071-10/+46
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: move libcli/auth/schannel_sign.c into schannel.cStefan Metzmacher2014-01-071-0/+380
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is always supportedStefan Metzmacher2014-01-071-0/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:credentials: avoid talloc_reference in cli_credentials_set_netlogon_creds()Stefan Metzmacher2013-10-161-1/+5
| | | | | | | | | | | | | Typically cli_credentials_set_netlogon_creds() should be used directly before the DCERPC bind. And cli_credentials_get_netlogon_creds() should be only used by the gensec layer, which only needs a copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 16 23:56:01 CEST 2013 on sn-devel-104
* auth: fix space/tab mixup in cli_credentials_get_password()Michael Adam2013-09-201-2/+2
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gensec: check for NULL gensec_security in gensec_security_by_auth_type().Günther Deschner2013-09-191-2/+4
| | | | | | | | | | We have equivalent checks in other gensec_security_by_X calls already. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: remove duplicate gensec_security_by_authtype() call.Günther Deschner2013-09-191-27/+2
| | | | | | | | | | | We should use the equivalent gensec_security_by_auth_type() call which is exposed in the public header. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: move schannel module to toplevel.Günther Deschner2013-09-192-0/+338
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Add SASL/EXTERNAL gensec moduleHoward Chu2013-09-183-1/+91
| | | | | | Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* Prepare for SASL/EXTERNAL supportHoward Chu2013-09-181-0/+8
| | | | | | Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()Andrew Bartlett2013-09-165-0/+60
| | | | | | | | | | This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* gensec: Fix CID 1063258 Uninitialized scalar variableVolker Lendecke2013-08-191-0/+1
| | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: make sure cli_credentials_get_nt_hash() always returns a ↵Stefan Metzmacher2013-08-122-7/+16
| | | | | | | | talloc object Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher2013-08-103-34/+40
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: use 'const char * const *' for function parametersStefan Metzmacher2013-08-103-3/+3
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make it possible to implement async backendsStefan Metzmacher2013-08-102-49/+160
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: avoid talloc_reference in gensec_security_mechs()Stefan Metzmacher2013-08-101-18/+9
| | | | | | | | We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()Stefan Metzmacher2013-08-101-18/+20
| | | | | | | | We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: introduce gensec_internal.hStefan Metzmacher2013-08-1011-96/+140
| | | | | | | | | | We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add gensec_security_by_auth_type()Stefan Metzmacher2013-08-102-0/+29
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning ↵Stefan Metzmacher2013-08-101-3/+4
| | | | | | | | | | NOT_IMPLEMENTED Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: use CRED_CALLBACK_RESULT after a callbackStefan Metzmacher2013-08-051-11/+23
| | | | | | | | | | | | We only do this if it's still CRED_CALLBACK after the callback, this allowes the callback to overwrite it. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
* auth/credentials: simplify password_tries stateStefan Metzmacher2013-08-052-6/+15
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: get the old password from secrets.tdbStefan Metzmacher2013-08-051-0/+11
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: keep cli_credentials privateStefan Metzmacher2013-08-056-93/+126
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: add cli_credentials_shallow_copy()Stefan Metzmacher2013-08-052-0/+18
| | | | | | | | This is useful for testing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: add cli_credentials_[set_]callback_data*Stefan Metzmacher2013-08-052-0/+19
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: remove pointless talloc_reference() from ↵Stefan Metzmacher2013-08-051-1/+1
| | | | | | | | cli_credentials_get_principal_and_obtained() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: remove pointless talloc_reference() from ↵Stefan Metzmacher2013-08-051-1/+1
| | | | | | | | cli_credentials_get_unparsed_name() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: Build with system md5.h on OpenIndianaAndrew Bartlett2013-06-193-3/+3
| | | | | | | | | | | | | | | | | | | | This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
* build: Remove unused credentials_samba3.cAndrew Bartlett2013-05-281-49/+0
| | | | | | | | | | This file was only used by the autoconf build system. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>