summaryrefslogtreecommitdiffstats
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
* Fix the developer O3 buildVolker Lendecke2015-02-251-2/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
* auth/kerberos: Use talloc_stackframe to avoid memory and FD leak of event ↵Andrew Bartlett2015-02-081-27/+33
| | | | | | | | | | | | | | context The smb_krb5_send_and_recv_func_forced and smb_krb5_send_and_recv_func functions could leak an event context including an epoll FD and some memory. This may explain a flapping test in krb5.kdc Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
* torture: Start a new testsuite for krb5 and KDC behaviourAndrew Bartlett2015-01-232-37/+92
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2014-8143:auth: Force talloc type of session_info pointer to matchAndrew Bartlett2015-01-151-0/+5
| | | | | | | | | | | | | This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabsAndrew Bartlett2014-12-181-0/+10
| | | | | | | | | This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb. Andrew Bartlett Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth/kerberos: fix salting principal, make sure hostname is lowercase.Günther Deschner2014-09-261-1/+1
| | | | | | | | | | | | Found at MS interop event while working on AES kerberos key support. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Sep 26 23:37:09 CEST 2014 on sn-devel-104
* s4: auth: gensec: asn1 fixes - check all returns.Jeremy Allison2014-09-261-19/+22
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
* s4-auth: Use sizeof() rather than a fixed constant in memcmp() callAndrew Bartlett2014-09-081-1/+2
| | | | | | Change-Id: I2807cf2af9e4c3282e6ff54a6dd8e90f34e9481f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
* auth: Split out fetching trusted domain into sam_get_results_trust()Andrew Bartlett2014-09-011-0/+74
| | | | | | | | | | This new helper function will also be used by pdb_samba_dsdb. Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-gensec: Fix spelling in debug messageAndrew Bartlett2014-09-011-1/+1
| | | | | | | Change-Id: Ia0218c4b1f714d1b829ab0ce5851a4d02a1bf5df Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* s4-auth: Initialize the tokens by default.Andreas Schneider2014-08-081-1/+3
| | | | | | | | | | | Found with valgrind. Signed-off-by: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Aug 8 19:01:56 CEST 2014 on sn-devel-104
* wscript: Only build gensec_krb5 with heimdal.Andreas Schneider2014-08-081-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-gensec_krb5: fix memleak in gensec_krb5_session_info().Günther Deschner2014-08-081-0/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth/kerberos: add a note how to implement ↵Günther Deschner2014-08-081-0/+2
| | | | | | | | | krb5_get_init_creds_opt_set_win2k() with MIT. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-kerberos: remove duplicate macros.Günther Deschner2014-08-081-10/+0
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/krb5_wrap: move krb5_princ_size replacement code to ↵Günther Deschner2014-08-081-8/+0
| | | | | | | | | lib/krb5_wrap/krb5_samba.c. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba: use smb_krb5_create_key_from_string() in some places.Günther Deschner2014-08-081-4/+6
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Fix talloc access after free in smb_krb5_update_keytabSamuel Cabrero2014-07-081-1/+6
| | | | | | | | | | Change-Id: Iaa168d520f124e0c43c7edd649318f0b8ee25020 Signed-off-by: Samuel Cabrero <scabrero@zentyal.com> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date(master): Tue Jul 8 16:51:09 CEST 2014 on sn-devel-104
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-3/+7
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-113-2/+10
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Allow auth_samba4 to be forced to run a specific auth moduleAndrew Bartlett2014-05-162-2/+2
| | | | | | | | | | This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:auth_winbind: explicitly use dcerpc_binding_handle_set_sync_ev() for irpcAndrew Bartlett2014-05-131-0/+2
| | | | | | | | | | | | This indicates that we're using nested event loops... Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Change-Id: I08f21876d42197f76fe3ae10b4f464626d70bf5a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-283-14/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* s4-auth: Make the auth_winbind_wbclient use more correct code now in ↵Andrew Bartlett2014-04-181-86/+8
| | | | | | | auth/wbc_auth_util.c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.cAndrew Bartlett2014-04-151-5/+0
| | | | | | | | | | | The comments indicate that this was needed for HP-UX at one point, but the configure code was never ported to WAF. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
* auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.cAndrew Bartlett2014-04-151-20/+0
| | | | | | | | This code is dead since the move to the WAF build system, but was set for HP-UX 9, 10 and 11 in the autoconf build system. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove linux_bigcrypt support from pass_check.cAndrew Bartlett2014-04-151-8/+0
| | | | | | | This is dead code, and probably has been for quite some time. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove support for plaintext auth on systems that use getprpwnam()Andrew Bartlett2014-04-151-9/+0
| | | | | | | | The WAF build does not have the code to detect getprpwnam, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove afs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build does not have code to detect support for AFS plaintext authentication, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove dfs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4-auth: Support password history correctly, including allowing NTLM logins ↵Andrew Bartlett2014-04-022-26/+297
| | | | | | | | | | | | | | | using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-100/+0
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out badPwdCount update into a helper functionAndrew Bartlett2014-04-021-48/+79
| | | | | | | | | | This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and ↵Andrew Bartlett2014-04-022-0/+67
| | | | | | | | lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Rework memory handling to use a tmp_ctxAndrew Bartlett2014-04-021-17/+51
| | | | | | Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-022-0/+124
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-9/+1
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-022-5/+5
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/sam: use a higher time resolution in authsam_account_ok()Stefan Metzmacher2014-04-021-2/+2
| | | | | | Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUTAndrew Bartlett2014-04-021-0/+3
| | | | | | Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/gensec: explicitly use allow_warnings=True for gssapi and sasl modulesStefan Metzmacher2014-04-021-0/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/ntlm: add auth4_sam_init() prototype to avoid a warningStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: avoid str_list related const warningsStefan Metzmacher2014-04-022-3/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: fix declaration after code warning in gensec_tstream.cStefan Metzmacher2014-04-021-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/gensec: include gensec_krb5_util.h in gensec_krb5_util.cStefan Metzmacher2014-04-021-0/+1
| | | | | | | This avoids missing prototype warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-271-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:pygensec: don't pass an explicit tevent_context to gensec_update()Stefan Metzmacher2014-03-271-9/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.Garming Sam2014-03-051-1/+4
| | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove the remaining uses of the macro NT_STATUS_HAVE_NO_MEMORY_AND_FREE in ↵Garming Sam2014-03-051-14/+28
| | | | | | | | | | | | | the codebase. Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: Id1b540cde127395a7b27385a7c0fe79f3a145c73 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-052-19/+76
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
generated by cgit (git 2.34.1) at 2025-06-14 20:27:40 +0000