| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Otherwise in some cases MIT's GSSAPI can crash after trying to inquire
a name.
For example see: https://github.com/modauthgssapi/mod_auth_gssapi/issues/34
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Related #5
|
|
|
|
|
|
|
|
|
|
|
|
| |
For GSS_Inquire_cred RFC 2743 specifies:
Input:
o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
-- is specified, default initiator credentials are queried
Thanks to Isaac Boukris for the inital patch on which this one is based.
Fixes: https://fedorahosted.org/gss-ntlmssp/ticket/6
|
| |
|
|
|
|
| |
Fixes #5
|
| |
|
|
|
|
|
|
|
|
|
| |
An array passed as a function argument is just a cosmetic ay to pass just a
pointer. Therefore sizeof(array) will only return the pointer length, not
the array length, and on 32 bit pointers are 4 bytes long.
Fix payload calculation by passing in the known correct length instead of using
fancy sizeofs ...
|
| |
|
|
|
|
|
|
|
|
|
| |
Openssl detects at runtime the CPU type and on some 32 bit CPUs will
automatically switch to a compressed schedule for the RC4_KEY.
Don't try to be too smart nd just copy all the data even if it takes
4 times the space.
The code still assumes sizeof(RC4_INT) == sizeof(uint32_t)
|
| |
|
| |
|
| |
|
|
|
|
| |
Do this by removing directives that we do not really depend on.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows people to put in an email address as the source name and
have i treated automatically as an enterprise name as well.
Although technically NetBIOS names can have dots it is unlikely and the
user@domain form is generally undestood to be used with UPNs and email
like addresses which use the DNS Domain Name.
The fallback case for NetBIOS domain names with a dot is to configure the
client to use the DOMAIN\user name form instead.
|
| |
|
| |
|
|
|
|
| |
Not much point in this at the moment but it serves as a useful example.
|
|
|
|
|
|
| |
xgettext will helpfully include and comment which precedes the string
in the pot file to aid in translation. So put the comments with the error
numbers *before* the corresponding strings.
|
| |
|
| |
|
| |
|
|
|
|
| |
We really ought to be including config.h consistently...
|
|
|
|
|
|
|
|
|
| |
Apparently Windows (2012 at least) refuses to authenticate if the
target_info field in the challenge message lacks the NetBIOS Domain
name.
So Always set the fake the nb_domain_name if not available, but do
not mark the server as a domain member in that case.
|
| |
|
| |
|
|
|
|
| |
This should make error reporting a little bit better.
|
| |
|
|
|
|
|
|
| |
These macros prevent the chance of not setting minor_status approproiately.
They also hook into the tracing system, so any time an error is set, then it
can be traced to exactly what finction (and in which line) it was set.
|
|
|
|
|
|
| |
If the GSSNTLMSSP_DEBUG environment variable is set to a file that
can be opened for writing, then trace information will be written to
that file whenever DEBUG macros are called in the code.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Return an error if status_type is bogus.
We can't call gss_display_status() for GSS_C_GSS_CODE because we'd loop
back to ourselves as unfortunately the GSSAPI mechanisms SPI uses the
same symbol names as the public API ...
|
| |
|
|
|
|
|
|
|
| |
But make sure to clear out flags once we receive the challenge packet
or we end up with both (OEM and UNICODE) flags set when we generate
the AUTH package.
Special care needs to be taken for DATAGRAM packets, as they are special.
|
|
|
|
|
| |
Modern Windows OSs also completely ignore sending any of this stuff,
so just stop sending it ourselves, it's generally ignored anyway.
|
|
|
|
|
| |
We never use these fields, so do not even attempt to decode them
just ignore completely.
|
|
|
|
|
|
|
|
|
|
| |
Seem like some very old NTLM server may omit the target_info field
entirely in the Challenge message, although MS-NLMP says modern clients
SHOULD send and empty target info header even when no target info is being
sent.
Allow to interoperate with these old servers but always set the
target_info field when we generate Challenge packets.
|
| |
|
|
|
|
|
| |
A server can be standalone or domain member, improve role management
so we can autodetct which role we should assume as a server.
|
|
|
|
|
| |
This is needed to find out if we are "domain joined" by way of
checking nb_domain_name, in following patches.
|
|
|
|
|
| |
Domain name is really just optional, only computer name is mandatory.
Domain name can be empty if the server is not a domain member.
|
|
|
|
|
| |
If we cannot source the domain name do not try to fake it up, just
leave it empty and omit it from the negotiation.
|
|
|
|
|
| |
Also lower the default lm compat level to 3 for broader compatibility.
This allows NTLMv1 with no LM auth.
|
| |
|
| |
|
|
|
|
|
| |
random_pad is always set to 0, so this change makes no difference,
however with this change we conform to MS-NLMP 3.4.4.1
|
| |
|
|
|
|
|
|
|
|
| |
In the ntlmv1 extended security case, winbindd wants a
pre-digested challenge, this is arguably a bug as Winbind has all
the data it needs to compute it by itself ... oh well, just cope.
Thanks to David Woodhouse for finding this out.
|