summaryrefslogtreecommitdiffstats
path: root/libcli/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODCAndrew Bartlett2014-06-112-0/+279
| | | | | | Change-Id: Ib87933c318f510d95f7008e122216d73803ede68 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Typo: s/preceeded/preceded/Jelmer Vernooij2014-04-141-3/+3
| | | | | | | | | | | Caught by lintian, the Debian package linter :) Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227 Reviewed-on: https://gerrit.samba.org/216 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104
* libcli/auth: s/encrypt/do_encryptStefan Metzmacher2014-04-021-6/+6
| | | | | | | This avoids compiler warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli: Overflow array index read possible, in auth code.Ira Cooper2014-02-241-1/+1
| | | | | | | | | | | Changed the if condtion to detect when we'd improperly overflow. Coverity-Id: 1167990 Signed-off-by: Ira Cooper <ira@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Ira Cooper <ira@samba.org> Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
* Revert "libcli: Overflow array index read possible, in auth code."Ira Cooper2014-02-241-2/+2
| | | | | | This reverts commit 538cbfe0e90b7c7ed0f8421b323cac4dacd83f04. Signed-off-by: Ira Cooper <ira@samba.org>
* libcli: Overflow array index read possible, in auth code.Ira Cooper2014-02-241-2/+2
| | | | | | | | | | | | The values have to be signed here to allow for the values to go negative, to prevent the overflow. Coverity-Id: 1167990 Signed-off-by: Ira Cooper <ira@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Ira Cooper <ira@samba.org> Autobuild-Date(master): Mon Feb 24 07:23:03 CET 2014 on sn-devel-104
* libcli: use DBWRAP_LOCK_ORDER_NONE when opening schannel_store.tdbMichael Adam2014-02-071-1/+2
| | | | | | | Make lack of lock order checking more visible. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dbwrap: add dbwrap_flags argument to dbwrap_local_open()Michael Adam2014-02-072-2/+3
| | | | | | | | To be consistent with db_open() and prepare for future possible extensions. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli/auth: reject computer_name longer than 15 charsStefan Metzmacher2014-01-221-0/+8
| | | | | | | | This matches Windows, it seems they use a fixed size field to store netlogon_creds_CredentialState. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: don't alter the computer_name in cluster mode.Stefan Metzmacher2014-01-221-19/+3
| | | | | | | This breaks NTLMv2 authentication. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: add netlogon_creds_cli_set_global_db()Stefan Metzmacher2014-01-222-0/+12
| | | | | | | This can be used to inject a db_context from dbwrap_ctdb. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: fix usage of an uninitialized variable in ↵Stefan Metzmacher2014-01-081-2/+2
| | | | | | | | | | netlogon_creds_cli_check_caps() If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* libcli/auth: remove unused netlogon_creds_cli_context_copy()Stefan Metzmacher2014-01-072-51/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: make use of real options in netlogon_creds_cli_context_global()Stefan Metzmacher2014-01-071-15/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()Stefan Metzmacher2014-01-071-10/+48
| | | | | | | | | | | | | | | | | Until all callers are fixed to pass the same 'server_computer' value, we try to calculate a server_netbios_name and use this as unique identifier for a specific domain controller. Otherwise winbind would use 'hostname.example.com' while 'net rpc testjoin' would use 'HOSTNAME', which leads to 2 records in netlogon_creds_cli.tdb for the same domain controller. Once all callers are fixed we can think about reverting this commit. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: add netlogon_creds_cli* infrastructureStefan Metzmacher2014-01-073-0/+2738
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provides an abstraction to hide netlogon_creds_CredentialState, which is stored in a node local tdb. Where the global state (netlogon_creds_CredentialState) between client and server was only kept in memory (on the client side), we now use the abstracted netlogon_creds_cli_context. We now use a node specific computer name in order to establish individual netlogon sessions per node. If the caller wants to use some netlogon calls with credential chain (struct netr_Authenticator), netlogon_creds_cli_lock*() is used to get the current netlogon_creds_CredentialState in a g_lock'ed fashion, a talloc_free() will release the lock. The locking is needed as there might be more than one process (multiple winbindd child, cmdline tools) which want to talk to a specific domain controller. The usage of netlogon_creds_CredentialState needs to be serialized as it uses sequence numbers. LogonSamLogonEx doesn't use the credential chain, but for some operations it needs the global session in order to de/encrypt individual fields. It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate() functions, which just make sure the session hasn't changed between get and validate. This is prepares the proper fix for a large number of bugs: https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugzilla.samba.org/show_bug.cgi?id=7944 https://bugzilla.samba.org/show_bug.cgi?id=7945 https://bugzilla.samba.org/show_bug.cgi?id=7568 https://bugzilla.samba.org/show_bug.cgi?id=8599 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: move libcli/auth/schannel_sign.c into schannel.cStefan Metzmacher2014-01-073-419/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: try to use the current timestamp creds->sequenceStefan Metzmacher2013-12-241-0/+22
| | | | | | | | | | | | | | | If the last usage of netlogon_creds_client_authenticator() is in the past try to use the current timestamp and increment more than just 2. If we use netlogon_creds_client_authenticator() a lot within a second, we increment keep incrementing by 2. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
* libcli/auth: remove bogus comment regarding replay attacksStefan Metzmacher2013-12-241-2/+0
| | | | | | | | | creds->sequence (timestamp) is the value that is used to increment the internal state, it's not a real sequence number. The sequence comes from adding all timestamps of the whole session. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: set the return_authenticator->timestamp = 0Stefan Metzmacher2013-12-241-1/+1
| | | | | | | This is what windows returns, the value is ignored by the client anyway. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: add more const to spnego_negTokenInit->mechTypesStefan Metzmacher2013-08-103-13/+18
| | | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
* libcli/auth: avoid possible mem leak in read_negTokenInit()Stefan Metzmacher2013-08-101-4/+15
| | | | | | | | Also add error checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth/schannel: remove unused schannel_positionStefan Metzmacher2013-08-101-7/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth/schannel: make struct schannel_state privateStefan Metzmacher2013-08-102-13/+12
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: add netsec_create_state()Stefan Metzmacher2013-08-102-0/+26
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bitStefan Metzmacher2013-08-102-5/+14
| | | | | | | | See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: add netlogon_creds_shallow_copy_logon()Stefan Metzmacher2013-08-052-0/+76
| | | | | | | | This can be used before netlogon_creds_encrypt_samlogon_logon() in order to keep the provided buffers unchanged. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: add netlogon_creds_[de|en]crypt_samlogon_logon()Stefan Metzmacher2013-08-052-0/+124
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: fix shadowed declaration in ↵Stefan Metzmacher2013-08-051-4/+4
| | | | | | | netlogon_creds_crypt_samlogon_validation() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: make netlogon_creds_crypt_samlogon_validation more robustStefan Metzmacher2013-08-051-1/+5
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: also set secure channel type in netlogon_creds_client_init().Günther Deschner2013-08-052-0/+3
| | | | | | Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* schannel: Fix an unused variableVolker Lendecke2013-07-311-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: Build with system md5.h on OpenIndianaAndrew Bartlett2013-06-193-6/+6
| | | | | | | | | | | | | | | | | | | | This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
* schannel_store.tdb: make it schannel_store.ntdb if 'use ntdb'.Rusty Russell2013-04-121-1/+1
| | | | | Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/auth: convert to dbwrap.Rusty Russell2013-04-123-39/+37
| | | | | Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/auth: avoid using transactions a chainlock is enoughStefan Metzmacher2013-03-281-10/+26
| | | | | | | | | | | | | We're just writting a single record into a CLEAR_IF_FIRST|TDB_NOSYNC tdb. We just need to make sure we lock the record between reading and writting. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Mar 28 14:52:14 CET 2013 on sn-devel-104
* libcli/auth: fix void function cannot return value errorAndrew Bartlett2013-01-221-2/+2
| | | | | | | Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 22 22:32:31 CET 2013 on sn-devel-104
* libcli: Check schannel state return value of tdb_transaction_commit().Andreas Schneider2012-12-211-1/+5
| | | | | | | Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* libcli/auth: add netlogon_creds_encrypt_samlogon_validation().Günther Deschner2012-12-152-6/+44
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: rename netlogon_creds_decrypt_samlogon() to ↵Günther Deschner2012-12-152-6/+9
| | | | | | | | | netlogon_creds_decrypt_samlogon_validation(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().Günther Deschner2012-12-091-0/+14
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli/auth: remove trailing whitespace.Günther Deschner2012-12-091-38/+38
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.Günther Deschner2012-12-092-0/+30
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Remove useless bool "upper_case_domain" parameter from ntv2_owf_gen().Jeremy Allison2012-08-243-13/+3
| | | | | | | | The code in SMBNTLMv2encrypt_hash() should not be requesting case changes on the domain name. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 24 21:39:42 CEST 2012 on sn-devel-104
* Remove useless bool "upper_case_domain" parameter.Jeremy Allison2012-08-241-13/+2
|
* Move uppercasing the domain out of smb_pwd_check_ntlmv2()Jeremy Allison2012-08-241-9/+21
| | | | | | Allows us to remove a silly bool parameter. Based on work done by "Blohm, Guntram (I/FP-37, extern)" <extern.guntram.blohm@audi.de>.
* libcli/auth: add support for AES/HMAC-SHA256 to the netlogon schannel sign/sealStefan Metzmacher2012-07-171-51/+137
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* libcli/auth: add support for AES/HMAC-SHA256 schannel session key supportStefan Metzmacher2012-07-171-3/+63
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodcStefan Metzmacher2012-07-171-2/+0
| | | | | | | | The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org>
* libcli: use tdb directly, not tdb_compat.Rusty Russell2012-06-191-2/+2
| | | | | Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
generated by cgit (git 2.34.1) at 2024-06-13 08:31:57 +0000