summaryrefslogtreecommitdiffstats
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
* s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2011-06-241-0/+1
| | | | metze
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+48
| | | | | | | If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
* s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher2011-06-223-5/+134
| | | | | | | For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+47
| | | | | | | | | | Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
* s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-94/+99
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-32/+41
| | | | | | In order to make the following changes easier to review. metze
* s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher2011-06-221-24/+76
| | | | | | | | | | | It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
* s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-27/+41
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-0/+2
| | | | metze
* s4/auth: Trivial spelling fixes.Brad Hards2011-06-212-6/+6
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett2011-06-201-2/+2
| | | | | | | | | | | | The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
* libcli/util Bring samba4 unix -> nt_status code in common.Andrew Bartlett2011-06-201-1/+1
| | | | | | | | Due to library link orders, this is already the function that is being used. However we still need to sort out the duplicate symbol issues, probably by renaming things. Andrew Bartlett
* s4: fix wrong index usage PRIMARY_USER_SID_INDEX when it should have been ↵Matthieu Patou2011-06-191-1/+1
| | | | | | | | | | PRIMARY_GROUP_SID_INDEX The system account was instanciated with wrong user an group SIDs, group sid resulted being just the domain SID. Bug seems to date from fbe6d155bf177c610ee549cc534650b0f0700e8a. Andrew (B.) please check.
* s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST'Andrew Tridgell2011-06-172-2/+6
| | | | | | | this prevents spurious error messages on client commands when when we will fallback to NTLM authentication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:auth/ntlm/auth_unix.c - remove unused variablesMatthias Dieter Wallnöfer2011-06-111-2/+0
| | | | | | Relicts from commit 323c7445713d17989452b99bbb541248bb2388eb Reviewed-by: Jelmer
* s4:auth/ntlm/auth.c - fix incompatible pointer type warningMatthias Dieter Wallnöfer2011-06-091-2/+2
| | | | Reviewed-by: Tridge
* s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handlerAndrew Bartlett2011-06-081-0/+59
| | | | | | | | | This allows us to print much more debugging in this critical situation. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
* s4-credentials Don't use expired Kerberos or GSSAPI credentialsAndrew Bartlett2011-06-081-4/+57
| | | | | | | | | In a long-lived credentials cache situation, we may need to refetch the ticket after (say) 10 hours. This code should help that happen, by checking the lifetime before returning any credentials cache or GSSAPI credentials. Andrew Bartlett
* s4-credentials Allow use of file-based credentials caches for debugging.Andrew Bartlett2011-06-081-3/+9
| | | | | | | | This means that we will leave a slew of file based credentials caches in /tmp, which should give some clues to the administrator or developer via klist as to what has gone wrong. Andrew Bartlett
* s4-auth Move default auth methods back into auth.cAndrew Bartlett2011-06-071-4/+6
| | | | | | | | | This changes auth_methods_from_lp to no longer use the parametric options, and to cope with ROLE_DOMAIN_BDC and ROLE_DOMAIN_PDC. This will assist in calling the source4 auth subsystem with a source3 derived lp_ctx. Andrew Bartlett
* s4-modules Remove lp_ctx from init functions that no longer need itAndrew Bartlett2011-06-063-5/+5
| | | | | | | | Now that we don't allow the smb.conf to change the modules dir, many functions that simply load modules or initialise a subsytem that may load modules no longer need an lp_ctx. Andrew Bartlett
* s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain"Matthias Dieter Wallnöfer2011-05-211-1/+1
| | | | Signed-off-by: Metze
* s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROSStefan Metzmacher2011-05-181-0/+1
| | | | | | | | Otherwise we would not impersonate the desired principal. This still doesn't work for plaintext auth, but should avoid ntlmssp. metze
* s4:auth/credentials: pass 'self_service' to ↵Stefan Metzmacher2011-05-184-7/+32
| | | | | | | | | | | | cli_credentials_set_impersonate_principal() This also adds a cli_credentials_get_self_service() helper function. In order to support S4U2Proxy we need to be able to set the service principal for the S4U2Self step independent of the target principal. metze
* s4:gensec_gssapi: avoid delegation if s4u2self/proxy is usedStefan Metzmacher2011-05-181-0/+4
| | | | metze
* s4-auth Rename auth -> auth4 to avoid conflict with s3 authAndrew Bartlett2011-05-0818-74/+74
|
* s4-auth: remove unused prototypeAndrew Tridgell2011-05-081-4/+1
|
* s4-auth: removed the password combinations code in auth_unixAndrew Tridgell2011-05-051-39/+4
| | | | | | | | | | this code never did anything due to a typo, and was untested. We should not be inluding a password cracker in Samba anyway. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu May 5 07:00:14 CEST 2011 on sn-devel-104
* sasl_secret_t ends in a char [1] size. This means the extra character is ↵Jeremy Allison2011-05-041-2/+2
| | | | implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.
* Remove strlower_m() and strupper_m() from source4 and common code.Andrew Bartlett2011-05-031-14/+14
| | | | | | | | | This function is problematic because a string may expand in size when changed into upper or lower case. This will then push characters off the end of the string in the s3 implementation, or panic in the former s4 implementation. Andrew Bartlett
* s4-messaging Rename messaging -> imessagingAndrew Bartlett2011-05-035-16/+16
| | | | | | | This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
* s4-param Remove config_path() -> lpcfg_config_path()Andrew Bartlett2011-04-291-1/+1
| | | | | | This is consistent with lock_path() Andrew Bartlett
* s4-gensec: Use new common 'obtain the PAC' functions.Andrew Bartlett2011-04-271-15/+4
| | | | | | | Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
* libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/authAndrew Bartlett2011-04-271-38/+0
| | | | | | This will allow the GSSAPI PAC fetch code to use it. Andrew Bartlett
* libcli/auth Move PAC parsing and verification in common.Andrew Bartlett2011-04-203-336/+19
| | | | | | | | This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
* s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3Andrew Bartlett2011-04-142-9/+9
| | | | | | The s3 function doesn't use the keytab_container concept. Andrew Bartlett
* libcli/auth Move krb5 wrapper functions from s3 into commonAndrew Bartlett2011-04-143-113/+4
| | | | | | | | | This requires a small rework of the build system to ensure that the correct #define statements are made in both the s3 and top level builds. We now define the various HAVE_ macros in config.h at all times, using heimdal_build/wscript_configure when that is in use. Andrew Bartlett
* lib: make asn1_util a private libraryAndrew Tridgell2011-04-062-2/+2
| | | | | | | this prevents symbol duplication of the asn1 symbols in the service and ntvfs subsystems Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* auth: Move auth_session_info into IDLAndrew Bartlett2011-04-054-104/+16
| | | | | | | | | | This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
* s4-auth: Always talloc_zero() the struct auth_session_infoAndrew Bartlett2011-04-051-1/+1
|
* s4-krb5: be a bit less verbose about krb5 packetsAndrew Tridgell2011-04-041-1/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* Fix inspired by work done by David Disseldorp for bug #8040 - smbclient ↵Jeremy Allison2011-03-281-4/+10
| | | | | | | | | segfaults when a Cyrillic netbios name or workgroup is configured. Change msrpc_gen to return NTSTATUS and ensure everywhere this is used it is correctly checked to return that status. Jeremy.
* s4:python bindings - handle NULL returns from "loadparm_init_global"Matthias Dieter Wallnöfer2011-03-221-0/+10
| | | | | | | Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Mar 22 19:52:57 CET 2011 on sn-devel-104
* s4:auth/system_session.c - check for OOMMatthias Dieter Wallnöfer2011-03-221-0/+2
| | | | Reviewed-by: Jelmer
* source4/auth: Fix prototypes for all functions.Jelmer Vernooij2011-03-196-1/+17
|
* source4/auth/ntlm: Fix prototypes for all functions.Jelmer Vernooij2011-03-197-0/+13
|
* source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij2011-03-197-1/+11
|
* Fix public header not to include private (not installed) ones.Simo Sorce2011-03-142-1/+2
| | | | | Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
* s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.cGünther Deschner2011-03-043-26/+1
| | | | Guenther
* Fix some typesJelmer Vernooij2011-02-281-1/+1
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
generated by cgit (git 2.34.1) at 2025-05-22 16:00:23 +0000