summaryrefslogtreecommitdiffstats
path: root/source4/auth/gensec
Commit message (Collapse)AuthorAgeFilesLines
* Fix the developer O3 buildVolker Lendecke2015-02-251-2/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
* gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabsAndrew Bartlett2014-12-181-0/+10
| | | | | | | | | This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb. Andrew Bartlett Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4: auth: gensec: asn1 fixes - check all returns.Jeremy Allison2014-09-261-19/+22
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
* s4-gensec: Fix spelling in debug messageAndrew Bartlett2014-09-011-1/+1
| | | | | | | Change-Id: Ia0218c4b1f714d1b829ab0ce5851a4d02a1bf5df Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* s4-auth: Initialize the tokens by default.Andreas Schneider2014-08-081-1/+3
| | | | | | | | | | | Found with valgrind. Signed-off-by: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Aug 8 19:01:56 CEST 2014 on sn-devel-104
* wscript: Only build gensec_krb5 with heimdal.Andreas Schneider2014-08-081-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-gensec_krb5: fix memleak in gensec_krb5_session_info().Günther Deschner2014-08-081-0/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+0
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUTAndrew Bartlett2014-04-021-0/+3
| | | | | | Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/gensec: explicitly use allow_warnings=True for gssapi and sasl modulesStefan Metzmacher2014-04-021-0/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: fix declaration after code warning in gensec_tstream.cStefan Metzmacher2014-04-021-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: include gensec_krb5_util.h in gensec_krb5_util.cStefan Metzmacher2014-04-021-0/+1
| | | | | | | This avoids missing prototype warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-271-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:pygensec: don't pass an explicit tevent_context to gensec_update()Stefan Metzmacher2014-03-271-9/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: only include "librpc/gen_ndr/dcerpc.h"Stefan Metzmacher2014-02-132-2/+2
| | | | | | | We only need some DCERPC_ defines. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header ↵Stefan Metzmacher2014-01-071-0/+12
| | | | | | | | | | | | | signing If header signing is requested we should error out instead of silently ignoring it, our peer would hopefully reject it, but we should also do that. TODO: we should implement header signing using gss_wrap_iov(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec_gssapi: handle GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()Stefan Metzmacher2014-01-071-0/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: move schannel module to toplevel.Günther Deschner2013-09-192-340/+0
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: introduce gensec_internal.hStefan Metzmacher2013-08-105-0/+5
| | | | | | | | | | We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: only require librpc/gen_ndr/dcerpc.hStefan Metzmacher2013-08-101-1/+1
| | | | | | | | We just need DCERPC_AUTH_TYPE_SCHANNEL Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: there's no point in having schannel_session_key()Stefan Metzmacher2013-08-101-8/+0
| | | | | | | | | | gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY before calling schannel_session_key(), as we don't provide GENSEC_FEATURE_SESSION_KEY. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is not supportedStefan Metzmacher2013-08-101-3/+0
| | | | | | | | | There's a sequence number attached to the connection, which needs to be incremented with each message... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: use the correct computer_name from ↵Stefan Metzmacher2013-08-101-3/+3
| | | | | | | | | | | netlogon_creds_CredentialState We need to use the same computer_name we used in the netr_Authenticate3 request. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: simplify the code by using netsec_create_state()Stefan Metzmacher2013-08-101-68/+30
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: remove unused dcerpc_schannel_creds()Stefan Metzmacher2013-08-102-49/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Make the no-hostname status message much less scaryAndrew Bartlett2013-05-162-2/+2
| | | | Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: recv_handler can't be NULL at that point.Andreas Schneider2013-03-051-1/+1
| | | | | | We probably want to segfault here if it is NULL. Reviewed-by: David Disseldorp <ddiss@samba.org>
* Move python modules from source4/scripting/python/ to python/.Jelmer Vernooij2013-03-021-1/+1
| | | | | | | Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Mar 2 03:57:34 CET 2013 on sn-devel-104
* s4:pygensec: make use of samba_tevent_context_init()Stefan Metzmacher2013-02-281-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* Fix some cut-and-paste and spelling in debug messagesGuenter Kukkukk2013-02-121-8/+8
| | | | | | | | | Signed-off-by: Guenter Kukkukk <kukks@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104
* s4-auth: Make sure we use the correct credential state.Andreas Schneider2012-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
* s4:gensec: fix a comment typoMichael Adam2012-06-121-1/+1
|
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-2/+4
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy2012-05-231-0/+1
| | | | | | | | | | | | | | | | | System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
* gensec_gssapi: Make it possible to build with MIT krb5Simo Sorce2012-05-231-10/+20
| | | | | | | | | | We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
* pygensec: Fix init of variable if not specified.Jelmer Vernooij2012-05-181-1/+1
| | | | | | | | | Thanks to Wolfgang Sourdeau for reporting this. Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946 Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
* s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" optionStefan Metzmacher2012-05-171-1/+6
| | | | metze
* s4:auth/gensec: implement gensec_gssapi_expire_time()Stefan Metzmacher2012-05-171-0/+13
| | | | metze
* s4:auth/gensec_gssapi: add missing 'break' statementsStefan Metzmacher2012-05-171-0/+2
| | | | metze
* s4:auth/gensec_gssapi: remember the expire timeStefan Metzmacher2012-05-172-2/+9
| | | | metze
* s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5Simo Sorce2012-05-044-1/+114
| | | | | | | Make it clearly a gensec_krb5 accessory file. This function should never be used anywhere else. This function was copied out from the Heimdal tree and is kept in a separate file for clarity and to keep the original license boilerplate.
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-251-3/+1
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* For now just disable this Heindal specific stuff in the MIT buildSimo Sorce2012-04-231-0/+4
|
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-122-0/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Make functions static.Simo Sorce2012-04-121-0/+71
| | | | | | | The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-122-43/+3
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* gensec_gssapi: keep private header file close to the actual codeSimo Sorce2012-04-122-1/+70
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4:auth/gensec/schannel: initialize struct schannel_state to zeroStefan Metzmacher2012-03-021-2/+1
| | | | metze
* s4:auth/gensec/schannel: make a copy of netlogon_creds_CredentialState in ↵Stefan Metzmacher2012-03-021-1/+8
| | | | | | | | the client This is really a copy for the lifetime of the rpc connection. metze
* pygensec: Fix whitespace.Jelmer Vernooij2012-02-181-8/+8
|
generated by cgit (git 2.34.1) at 2025-09-01 04:51:20 +0000