summaryrefslogtreecommitdiffstats
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth/pycredentials: make use of samba_tevent_context_init()Stefan Metzmacher2013-02-281-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'Rusty Russell2013-02-201-1/+3
| | | | | | | | | | | Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
* gensec: Allow login without a PAC by default (bug #9581)Andrew Bartlett2013-01-241-1/+1
| | | | | | | | | The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: added cli_credentials_failed_kerberos_login()Andrew Tridgell2012-11-012-0/+64
| | | | | | | | this is used to support retrying kerberos connections after removing a ccache entry, to cope with a server being re-built while our client still has a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: add HAVE_KRB5 guard to fix non-krb5 build after winbindd pac ↵Andrew Bartlett2012-09-221-0/+3
| | | | | | | changes Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
* auth/kerberos: Adjust log level for failed PAC signature verificationChristof Schmitt2012-09-201-1/+1
| | | | | | | | With winbindd trying to verify the signature of an application provided PAC, this message can be easily triggered. Adjust the debug level to avoid filling up the logs. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Fix some nonempty blank linesVolker Lendecke2012-09-201-61/+59
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Do not print passwords in a talloc memory dumpAndrew Bartlett2012-08-311-0/+8
| | | | | | | The fact that a password was created here is enough information, so overwrite with the function name and line. Andrew Bartlett
* auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()Andrew Bartlett2012-08-301-3/+8
| | | | | | | | | | | | | This allows a password alone to be used to accept kerberos tickets. Of course, we need to have got the salt right, but we do not need also the correct kvno. This allows gensec_gssapi to accept tickets based on a secrets.tdb entry. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
* auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt()Andrew Bartlett2012-08-291-29/+0
|
* auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb recordsAndrew Bartlett2012-08-291-32/+61
| | | | | | | | By checking first if there is a secrets.tdb record and passing in the password and last change time we avoid setting one series of values and then replacing them. We also avoid the need to work around the setting of anonymous. Andrew Bartlett
* auth/credentials: Improve memory handling in cli_credentials_set_machine_accountAndrew Bartlett2012-08-291-26/+26
| | | | | | | | | By using a tempoary talloc context this is much tidier and more reliable code. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
* auth/credentials: Avoid double-free in the failure caseAndrew Bartlett2012-08-291-1/+1
| | | | | | This pointer is only valid if dbwrap_fetch returned success. Andrew Bartlett
* auth/credentials: Rework credentials handling to try and find the most ↵Andrew Bartlett2012-08-281-33/+71
| | | | | | | | recent machine pw As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb Andrew Bartlett
* auth/credentials: Expand secrets.tdb fetch of secrets to preserve ↵Andrew Bartlett2012-08-281-0/+4
| | | | | | | | workstation and realm These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails. Andrew Bartlett
* build: rename security → samba-securityBjörn Jacke2012-08-102-2/+2
| | | | | | | | | there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
* auth/ntlmssp: avoid talloc_tos() in ntlmssp_client_initial()Stefan Metzmacher2012-08-041-1/+1
| | | | | | | This avoids a smb_panic at log level = 10. If we don't have a talloc stackframe yet. metze
* auth/kerberos: Do not do pointer arithmatic on a void *Andrew Bartlett2012-07-301-1/+1
| | | | | | Found with -Werror=pointer-arith Andrew Bartlett
* auth/credentials: Remove extra newlineAndrew Bartlett2012-07-191-1/+1
|
* auth/credentials: Look in the secrets.tdb for the machine accountAndrew Bartlett2012-07-152-3/+50
| | | | | | | | | This is for use with the -P/--machine-pass option. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
* auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2012-07-062-0/+47
| | | | | | | | Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove .get_challenge (only used for security=server)Andrew Bartlett2012-07-032-11/+0
| | | | | | | | | | | | | With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
* auth/gensec: Remove unused gensec_security parameterAndrew Bartlett2012-07-031-6/+3
|
* auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()Alexander Bokovoy2012-06-061-2/+18
| | | | | | | | | | | | | | gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
* auth/credentials: 'workgroup' set via command line will not drop existing ccacheAlexander Bokovoy2012-05-242-13/+7
| | | | | | | | | | The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear.
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-1/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-credentials: Support using pre-fetched ccache when obtaining kerberos ↵Alexander Bokovoy2012-05-231-2/+12
| | | | | | | | | credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
* auth and s4-rpc_server: Do not use features we currently can't implement ↵Simo Sorce2012-05-231-1/+4
| | | | with MIT Kerbros build
* auth/gensec: implement gensec_spnego_expire_time()Stefan Metzmacher2012-05-171-0/+12
| | | | metze
* auth/gensec: add gensec_expire_time()Stefan Metzmacher2012-05-172-0/+12
| | | | metze
* s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.Andreas Schneider2012-05-041-2/+2
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-253-1/+3
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* Make krb5 wrapper library common so they can be used all overSimo Sorce2012-04-234-4/+56
|
* srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce2012-04-121-1/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-124-11/+78
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Make functions static.Simo Sorce2012-04-123-100/+2
| | | | | | | The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Use simpler method to extract keytype.Simo Sorce2012-04-121-19/+12
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-124-21/+47
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove dependency on credentials too.Simo Sorce2012-04-121-3/+6
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce2012-04-121-3/+13
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move keytab functions in a separate file.Simo Sorce2012-04-122-2/+3
| | | | | | Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move function into more appropriate header.Simo Sorce2012-04-121-8/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.Simo Sorce2012-04-122-2/+4
| | | | | | It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Make impersonate_principal_from_credentials static.Simo Sorce2012-04-121-6/+0
| | | | | | It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
* gensec_gssapi: keep private header file close to the actual codeSimo Sorce2012-04-121-70/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse ↵Stefan Metzmacher2012-03-151-1/+1
| | | | | | | | | code anymore metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
* auth/ntlmssp: Remove reference to struct ntlmssp_stateAndrew Bartlett2012-03-091-6/+1
|
* auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_stateAndrew Bartlett2012-03-094-8/+5
| | | | | | This just means there is one less pointer to ensure we initialise. Andrew Bartlett
* auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key typeAndrew Bartlett2012-03-081-4/+23
| | | | | | | | | | The key type OID is optional, but we require that information to determine if we should use NEW_SPNEGO. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
* auth/kerberos: Ensure we do not print invalid memory in failure caseAndrew Bartlett2012-03-081-4/+1
| | | | | | This codeblock may not have any set->elements, so we should not print them. Copy&paste in the original code. Andrew Bartlett