summaryrefslogtreecommitdiffstats
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
...
* auth-kerberos: add the credentials.h so that enum credentials_obtained is ↵Matthieu Patou2013-10-271-0/+1
| | | | | | | | | | | | | defined We had a warning about the enum being defined in the parameter list: warning: ‘enum credentials_obtained’ declared inside parameter list Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Sun Oct 27 02:25:47 CET 2013 on sn-devel-104
* auth4: Remove an unused variableVolker Lendecke2013-10-151-1/+0
| | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: move schannel module to toplevel.Günther Deschner2013-09-192-340/+0
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: introduce gensec_internal.hStefan Metzmacher2013-08-105-0/+5
| | | | | | | | | | We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: only require librpc/gen_ndr/dcerpc.hStefan Metzmacher2013-08-101-1/+1
| | | | | | | | We just need DCERPC_AUTH_TYPE_SCHANNEL Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: there's no point in having schannel_session_key()Stefan Metzmacher2013-08-101-8/+0
| | | | | | | | | | gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY before calling schannel_session_key(), as we don't provide GENSEC_FEATURE_SESSION_KEY. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is not supportedStefan Metzmacher2013-08-101-3/+0
| | | | | | | | | There's a sequence number attached to the connection, which needs to be incremented with each message... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: use the correct computer_name from ↵Stefan Metzmacher2013-08-101-3/+3
| | | | | | | | | | | netlogon_creds_CredentialState We need to use the same computer_name we used in the netr_Authenticate3 request. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: simplify the code by using netsec_create_state()Stefan Metzmacher2013-08-101-68/+30
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:gensec/schannel: remove unused dcerpc_schannel_creds()Stefan Metzmacher2013-08-102-49/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Make the no-hostname status message much less scaryAndrew Bartlett2013-05-162-2/+2
| | | | Reviewed-by: Stefan Metzmacher <metze@samba.org>
* source4/auth/kerberos/kerberos-notes.txt: Fix typo.Karolin Seeger2013-05-151-1/+1
| | | | | Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gensec: recv_handler can't be NULL at that point.Andreas Schneider2013-03-051-1/+1
| | | | | | We probably want to segfault here if it is NULL. Reviewed-by: David Disseldorp <ddiss@samba.org>
* Move python modules from source4/scripting/python/ to python/.Jelmer Vernooij2013-03-021-1/+1
| | | | | | | Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Mar 2 03:57:34 CET 2013 on sn-devel-104
* s4:pygensec: make use of samba_tevent_context_init()Stefan Metzmacher2013-02-281-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* pyauth: Check return value of lpcfg_from_py_object().Andreas Schneider2013-02-221-0/+4
| | | | Reviewed-by: Alexander Bokovoy <ab@samba.org>
* s4:auth/kerberos: make use of samba_tevent_context_init()Stefan Metzmacher2013-02-191-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* Fix some cut-and-paste and spelling in debug messagesGuenter Kukkukk2013-02-121-8/+8
| | | | | | | | | Signed-off-by: Guenter Kukkukk <kukks@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104
* dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett2013-01-211-5/+39
| | | | | | | | | | | | | | | | | | This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()Andrew Bartlett2012-08-302-0/+2
| | | | | | | | | | | | | This allows a password alone to be used to accept kerberos tickets. Of course, we need to have got the salt right, but we do not need also the correct kvno. This allows gensec_gssapi to accept tickets based on a secrets.tdb entry. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
* lib/krb5_wrap: Move enctype conversion functions into a simple helper fileAndrew Bartlett2012-08-281-45/+0
|
* build: rename security → samba-securityBjörn Jacke2012-08-102-2/+2
| | | | | | | | | there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
* s4-auth: Make sure we use the correct credential state.Andreas Schneider2012-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
* auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2012-07-062-45/+0
| | | | | | | | Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove .get_challenge (only used for security=server)Andrew Bartlett2012-07-037-97/+0
| | | | | | | | | | | | | With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
* auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett2012-06-191-2/+0
| | | | | | | | | | This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
* lib/param: Create a seperate server role for "active directory domain ↵Andrew Bartlett2012-06-152-1/+2
| | | | | | | | | | | | | | | controller" This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett
* s4:kerberos: fix typos in kerberos-notes.txtMichael Adam2012-06-121-2/+2
|
* s4:gensec: fix a comment typoMichael Adam2012-06-121-1/+1
|
* build: Add missing deps and make MESSAGING a private libraryAndrew Bartlett2012-06-071-1/+1
| | | | | | | | | To remove finddcs_nbt these missing deps need to be added. These subsystems linked to to implicit dependencies provided by finddcs. Due to the new arrangmenet of subsystems, MESSAGING needs to be a private library to avoid being a source of duplicate symbols. Andrew Bartlett
* lib/krb5_wrap: Move krb5_princ_size helper to source4 as it is only used thereAndrew Bartlett2012-05-301-0/+8
| | | | | | | | | | This is also where the related krb5_princ_component is declared. Also fix the configure check to use the correct name This helps the autoconf build on Heimdal. Andrew Bartlett
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-232-2/+5
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy2012-05-232-1/+2
| | | | | | | | | | | | | | | | | System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
* gensec_gssapi: Make it possible to build with MIT krb5Simo Sorce2012-05-231-10/+20
| | | | | | | | | | We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
* pygensec: Fix init of variable if not specified.Jelmer Vernooij2012-05-181-1/+1
| | | | | | | | | Thanks to Wolfgang Sourdeau for reporting this. Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946 Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
* s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" optionStefan Metzmacher2012-05-171-1/+6
| | | | metze
* s4:auth/gensec: implement gensec_gssapi_expire_time()Stefan Metzmacher2012-05-171-0/+13
| | | | metze
* s4:auth/gensec_gssapi: add missing 'break' statementsStefan Metzmacher2012-05-171-0/+2
| | | | metze
* s4:auth/gensec_gssapi: remember the expire timeStefan Metzmacher2012-05-172-2/+9
| | | | metze
* s4:auth: remove unused auth_server.cStefan Metzmacher2012-05-152-245/+0
| | | | metze
* s4-auth: Use smb_krb5_make_pac_checksum.Andreas Schneider2012-05-081-54/+24
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* s4:auth/kerberos: don't do tracing in MIT buildAlexander Bokovoy2012-05-041-17/+0
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* auth-session: MIT doesn't have import/export cred yetSimo Sorce2012-05-041-3/+5
| | | | | | | For now let's just loose this functionality with the MIT build. gss_import/export_cred should be availa ble when MIT 1.11 is released and this code is used only in some proxy scenario. Not normally needed for common configurations.
* s4-auth-krb: Make srv_keytab.c build against MIT KerberosSimo Sorce2012-05-041-8/+11
|
* Fix incompatible assignment warningSimo Sorce2012-05-041-1/+1
|
* Fix compiler warningSimo Sorce2012-05-041-1/+1
|
* s4-auth-krb: Use compat code to initialize keyblock contentsSimo Sorce2012-05-041-1/+1
|
* s4-auth-krb: Disable code in MIT buildSimo Sorce2012-05-041-1/+4
| | | | | | Unfortunately these functions are not available in MIT and there is no easy workaround or compat funciton I can see at this stage. Will fix properly once MIT gets the necessary functions or if another workaround can be found.
* Move keytab_copy to krb5samba libSimo Sorce2012-05-042-231/+1
| | | | | This is a helper fucntion that uses purely krb5 code, so it belongs to krb5samba which is the krb5 wrapper for samba.
* Fix keytab_copy to compile with MIT librariues tooSimo Sorce2012-05-041-10/+12
|
generated by cgit (git 2.34.1) at 2025-09-03 11:45:56 +0000