summaryrefslogtreecommitdiffstats
path: root/source4/auth/gensec
Commit message (Collapse)AuthorAgeFilesLines
* s4-auth: Make sure we use the correct credential state.Andreas Schneider2012-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
* s4:gensec: fix a comment typoMichael Adam2012-06-121-1/+1
|
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-2/+4
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy2012-05-231-0/+1
| | | | | | | | | | | | | | | | | System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
* gensec_gssapi: Make it possible to build with MIT krb5Simo Sorce2012-05-231-10/+20
| | | | | | | | | | We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
* pygensec: Fix init of variable if not specified.Jelmer Vernooij2012-05-181-1/+1
| | | | | | | | | Thanks to Wolfgang Sourdeau for reporting this. Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946 Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
* s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" optionStefan Metzmacher2012-05-171-1/+6
| | | | metze
* s4:auth/gensec: implement gensec_gssapi_expire_time()Stefan Metzmacher2012-05-171-0/+13
| | | | metze
* s4:auth/gensec_gssapi: add missing 'break' statementsStefan Metzmacher2012-05-171-0/+2
| | | | metze
* s4:auth/gensec_gssapi: remember the expire timeStefan Metzmacher2012-05-172-2/+9
| | | | metze
* s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5Simo Sorce2012-05-044-1/+114
| | | | | | | Make it clearly a gensec_krb5 accessory file. This function should never be used anywhere else. This function was copied out from the Heimdal tree and is kept in a separate file for clarity and to keep the original license boilerplate.
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-251-3/+1
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* For now just disable this Heindal specific stuff in the MIT buildSimo Sorce2012-04-231-0/+4
|
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-122-0/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Make functions static.Simo Sorce2012-04-121-0/+71
| | | | | | | The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-122-43/+3
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* gensec_gssapi: keep private header file close to the actual codeSimo Sorce2012-04-122-1/+70
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4:auth/gensec/schannel: initialize struct schannel_state to zeroStefan Metzmacher2012-03-021-2/+1
| | | | metze
* s4:auth/gensec/schannel: make a copy of netlogon_creds_CredentialState in ↵Stefan Metzmacher2012-03-021-1/+8
| | | | | | | | the client This is really a copy for the lifetime of the rpc connection. metze
* pygensec: Fix whitespace.Jelmer Vernooij2012-02-181-8/+8
|
* auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett2012-02-171-33/+22
| | | | | | | | | gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
* s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAGStefan Metzmacher2012-01-201-0/+1
| | | | metze
* auth/gensec: move spnego.c to the toplevelStefan Metzmacher2012-01-132-1411/+0
| | | | metze
* auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher2012-01-131-107/+0
| | | | | | This makes the dependencies easier to handle. metze
* s4:auth/gensec: inline packet_full_request_u32()Stefan Metzmacher2012-01-131-1/+9
| | | | | | This removes the dependency to s4 specific code. metze
* s4:auth/gensec: fix compiler warnings in spnego.cStefan Metzmacher2012-01-131-3/+0
| | | | metze
* s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher2012-01-121-3/+205
| | | | metze
* s4:pygensec: add set_max_update_size() and max_update_size() functionsStefan Metzmacher2012-01-121-0/+25
| | | | metze
* gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett2012-01-111-26/+26
| | | | | | | | This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: make gensec_gssapi.h commonAndrew Bartlett2012-01-111-67/+0
| | | | | | | | | This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: move gensec_util.c to the top levelAndrew Bartlett2012-01-112-99/+1
| | | | | | | | To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:pygensec: add session_key() methodStefan Metzmacher2012-01-041-0/+29
| | | | metze
* s4-gensec: Rename memory contexts in gensec_util for greater clarityAndrew Bartlett2011-12-291-2/+2
| | | | | | | | This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
* s4-gensec: Rename memory contexts in gensec_krb5 for greater clarityAndrew Bartlett2011-12-291-16/+16
| | | | | | | | This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
* s4-gensec: Rename memory contexts in gensec_gssapi for greater clarityAndrew Bartlett2011-12-291-16/+16
| | | | | | | | This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
* s4-gensec remove auth_session dep from gensec_gssapi.cAndrew Bartlett2011-12-291-1/+1
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
* s4-gensec Remove fallback for simple privilegesAndrew Bartlett2011-12-291-6/+2
| | | | | | | | | This makes the dependencies simpler, as this code path is no longer required. (That is, it makes no sense to have an NTLM login without an auth context, and the gensec_gssapi and gensec_krb5 modules call the PAC blob function below instead). Andrew Bartlett
* s4-torture: Demonstrate handling of the PAC in a custom auth_contextAndrew Bartlett2011-12-292-59/+5
| | | | | | | This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett
* s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett2011-12-294-146/+152
| | | | | | | | | | | | | This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
* s4-gensec: fix cyrus sasl module after update() protype changeAndrew Bartlett2011-12-291-0/+1
|
* s4-gensec: Allow a PAC to be obtained from any GSS mechAndrew Bartlett2011-12-281-7/+0
| | | | | | | This may allow Luke Howard's moonshot to work with a little less effort at some point in the future. Andrew Bartlett
* auth: Allow a NULL principal to be obtained from the credentialsAndrew Bartlett2011-12-071-1/+4
| | | | | | This is important when trying to let GSSAPI search the keytab. Andrew Bartlett
* s4:gensec/spnego: only try the mechs that match the client given onesStefan Metzmacher2011-11-301-0/+4
| | | | | | | | | | | | | | | | | | | | | Windows-Members of NT4/Samba3 domains, send MechTypes: 1.3.6.1.4.1.311.2.2.10 [NTLMSSP] 1.2.840.48018.1.2.2 [krb5 broken] 1.2.840.113554.1.2.2 [krb5] MechToken for NTLMSSP. This patch makes sure we start NTLMSSP with the given MechToken, instead of trying to pass the NTLMSSP MechToken to the krb5 backend first. As that would fail the authentication with an error instead of trying fallbacks. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
* gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett2011-10-185-41/+48
| | | | | | | | | | | | This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: move event-using code to gensec_update() hooks out of gensec_start*()Andrew Bartlett2011-10-183-39/+77
| | | | | | | This ensures that only gensec_update() will require an event context argument when the API is refactored. Andrew Bartlett
* libcli/auth: Provide a struct loadparm_context to schannel callsAndrew Bartlett2011-10-131-1/+1
| | | | | | This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett
* auth: move gensec_start.c to the top levelAndrew Bartlett2011-10-116-972/+65
| | | | | | | This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett
* auth: move credentials layer to the top levelAndrew Bartlett2011-10-111-0/+4
| | | | | | | | This will allow gensec_start.c to move to the top level. This does not change what code uses the cli_credentials code, but allows the gensec code to be more broadly. Andrew Bartlett
* lib/util: consolidate module loading into common codeAndrew Bartlett2011-10-062-1/+2
| | | | | | This creates a samba-modules private libary that handles the details. Andrew Bartlett
* s4:auth - remove unused variablesMatthias Dieter Wallnöfer2011-09-191-1/+0
| | | | Reviewed-by: Jelmer
generated by cgit (git 2.34.1) at 2025-09-26 22:49:29 +0000