summaryrefslogtreecommitdiffstats
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
* s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer2009-10-142-18/+9
| | | | | | For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
* s4-pygensec: a bit closer to workingAndrew Tridgell2009-10-023-9/+56
| | | | | I'll need help from Andrew on how to get gensec to initialise it's ops element
* gensec: Avoid exposing lp_ctx on the API level.Jelmer Vernooij2009-09-263-14/+12
|
* pygensec: Add initial work on a gensec Python module.Jelmer Vernooij2009-09-263-0/+184
|
* s4:auth/gensec/schannel - fix a const warningMatthias Dieter Wallnöfer2009-09-251-1/+2
|
* s4:schannel: fix some compiler warningsStefan Metzmacher2009-09-251-2/+4
| | | | | | If we only do signing we can pass down a const data buffer. metze
* s4-auth: add SID_NT_ENTERPRISE_DCS is a server trust accountAndrew Tridgell2009-09-191-1/+13
|
* s4-sam: add a note about the solaris clientAndrew Tridgell2009-09-171-0/+2
|
* spnego: Support ASN.1 BIT STRING and use it in SPNEGO.Kouhei Sutou2009-09-171-2/+4
| | | | Signed-off-by: Günther Deschner <gd@samba.org>
* spnego: share spnego_parse.Günther Deschner2009-09-174-475/+2
| | | | Guenther
* libcli/auth: rewrite schannel sign/seal code to be more genericStefan Metzmacher2009-09-161-33/+56
| | | | | | This prepares support for HMAC-SHA256/AES. metze
* schannel: move schannel_sign to main directory.Günther Deschner2009-09-164-312/+3
| | | | Guenther
* s4-schannel: try to fix the build.Günther Deschner2009-09-161-1/+1
| | | | Guenther
* s4-schannel: first step of decoupling schannel from gensec.Günther Deschner2009-09-162-20/+51
| | | | Guenther
* s4-schannel: strip trailing whitespace.Günther Deschner2009-09-161-36/+36
| | | | Guenther
* s4-schannel: use NL_AUTH_MESSAGE for schannel.Günther Deschner2009-09-131-23/+35
| | | | Guenther
* s4-schannel: strip trailing whitespace.Günther Deschner2009-09-131-26/+26
| | | | Guenther
* Added "admin_session" method.Nadezhda Ivanova2009-09-093-0/+218
| | | | | | The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
* s4:sam - Implement also here the right primary group behaviourMatthias Dieter Wallnöfer2009-09-071-46/+71
| | | | | | | We have not only to expand the additional groups but *also* the primary group to gain all rights of a user account. Also, remove an unneeded context (tmp_ctx) and "talloc_steal".
* s4: include ntlmssp header in auth/ntlmssp/ntlmssp.h.Günther Deschner2009-08-281-0/+1
| | | | Guenther
* s4-ntlmssp: use interface constants in TargetInfo blob.Günther Deschner2009-08-281-5/+5
| | | | Guenther
* s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants.Günther Deschner2009-08-285-50/+21
| | | | Guenther
* s4-schannel: add ldb suffix to schannel functions.Günther Deschner2009-08-271-2/+2
| | | | Guenther
* s4:kerberos Use MIT compatible names for these enc typesAndrew Bartlett2009-08-211-1/+1
| | | | | | | | | This is a small start on (ie, the only trivial part of) the work shown in: http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences (a table of all Kerberos symbols used in Samba4, and notes on where they differ from those provided with MIT Kerberos) Andrew Bartlett
* added a uid_wrapper libraryAndrew Tridgell2009-08-051-1/+1
| | | | | | | | | | | | | | | | | | | | This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling
* s4: Change my nested groups patch to don't include user's SID itself in the ↵Matthias Dieter Wallnöfer2009-08-041-17/+24
| | | | "groupSID"s structure
* Return infinite time for last last logoff when last logoff = 0Matthieu Patou2009-08-032-2/+2
|
* s4:auth: make sure we have elements returned at all in ↵Stefan Metzmacher2009-07-311-0/+6
| | | | | | authsam_expand_nested_groups() metze
* s4: Patch to implement nested group and privilegesMatthias Dieter Wallnöfer2009-07-311-34/+100
| | | | | | | | | This patch adds a function "authsam_expand_nested_groups" (calculation of rights through expanding groups of a certain SID) which basically collects all memberships through "memberOf" attributes. It works with either user or group SIDs. For avoiding loops it tests on each call if the SID hasn't been added yet (through the helper function "sids_contains_sid"). The function itself is called by "authsam_make_server_info".
* s4:gensec/spnego: only generate the mechListMic when the server expects itStefan Metzmacher2009-07-281-1/+2
| | | | | | This fixes the ntvfs.cifs tests. metze
* s4:kerberos Add support for user principal names in certificatesAndrew Bartlett2009-07-282-3/+5
| | | | | | | | | | | | | | This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
* s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett2009-07-282-1/+148
| | | | | | | | | | | | It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
* Revert "s4:kerberos Add 'net export keytab' command for wireshark decryption"Stefan Metzmacher2009-07-272-148/+1
| | | | | | | | | | This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f. This breaks the build... Andrew, please repush it, when it's fixed:-) metze
* s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett2009-07-272-1/+148
| | | | | | | | | | | | It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
* s4:gensec_gssapi: pass the correct oid to the gssapi layer.Stefan Metzmacher2009-07-241-4/+11
| | | | metze
* s4:gensec/spengo: make sure we send the blob with the micListMech signature ↵Stefan Metzmacher2009-07-241-1/+1
| | | | | | | | to the peer We should even do this if the submech has no more data to send. metze
* s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett2009-07-172-15/+29
| | | | | | | | | Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
* s4:gensec Rework gensec_krb5 mutual authentication defaultsAndrew Bartlett2009-07-161-24/+28
| | | | | | | | When emulating Samba3 (which we do to ensure we don't break compatability), don't do mutual authentication by default, as it breaks the session key with AES and isn't what Samba3 does anyway. Andrew Bartlett
* s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'Andrew Bartlett2009-07-161-5/+15
| | | | | | | | This allows the older 'like Samba3' GENSEC krb5 implementation to work against Windows 2008. I'm using this to track down interop issues in this area. Andrew Bartlett
* s4:auth/ntlmssp: let _unwrap fallback to seal if sign only doesn't workStefan Metzmacher2009-07-081-6/+57
| | | | | | | | s4:auth/ntlmssp: let _unwrap fallback to seal if sign only doesn't work Windows always uses SEAL with NTLMSSP on LDAP connection even if not negotiated. metze
* s4:auth It is easier to copy the session key than get talloc right.Andrew Bartlett2009-07-071-4/+3
| | | | | | | | The session keys as supplied already have a reference on them, so stealing them creates challenges. For 16 bytes, it is just easier to be consistant and copy them. Andrew Bartlett
* gensec_start now steals the auth_contextAndrew Tridgell2009-07-011-1/+3
|
* another case that should use py_talloc_referenceAndrew Tridgell2009-07-011-1/+1
|
* removed a redundent talloc_stealAndrew Tridgell2009-07-011-2/+0
|
* fixed the use of talloc_steal in ntlmssp_server Andrew Tridgell2009-07-011-3/+2
| | | | | The previous use of talloc_steal could cause a steal of a pointer that had references. This ensures that doesn't happen
* Rework the kerberos-notes.txt in order and formatDon Davis2009-06-301-0/+803
| | | | | | | | This reworks the notes file to be less stream-of-consciousness and more task for porting, with a very particular focus on a potential port of Samba4 to use MIT Kerberos. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4 auth_winbind: Internally, info3 has utf8 buffers, not utf16 buffers.Kai Blin2009-06-251-63/+16
| | | | Thanks to gd for the catch.
* s4 auth_winbind: Don't allocate the rids for the info3 structure within the loopKai Blin2009-06-251-4/+4
|
* s4: Add libwbclient backend to auth_winbindKai Blin2009-06-252-1/+216
|
* Fixed some uninitialised variablesMatthias Dieter Wallnöfer2009-06-191-5/+1
| | | | I tried hard to not change the program logic. Should fix bug #6439.
generated by cgit (git 2.34.1) at 2025-09-27 15:39:42 +0000