summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2008-05-23 15:24:40 +0200
committerJelmer Vernooij <jelmer@samba.org>2008-05-23 15:24:40 +0200
commit7fb26774021986a08d03db968a7826ee64ea7410 (patch)
tree272d8e4f7671b48c95c817724b41d9c27de1e282 /source4/auth
parentfd01b27edd5a83306f4ce567e31d43641dd003b8 (diff)
parent1186579f94d81bc633b8f20e8ad8673313c8c39b (diff)
downloadsamba-7fb26774021986a08d03db968a7826ee64ea7410.tar.gz
samba-7fb26774021986a08d03db968a7826ee64ea7410.tar.bz2
samba-7fb26774021986a08d03db968a7826ee64ea7410.zip
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into registry
(This used to be commit e8d96b61db1cddc2d8dca45e6e9b53d5c31ee5d4)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth.py2
-rw-r--r--source4/auth/auth_server.c377
-rw-r--r--source4/auth/auth_wrap.c65
-rw-r--r--source4/auth/config.mk101
-rw-r--r--source4/auth/credentials/config.mk16
-rw-r--r--source4/auth/credentials/credentials.c42
-rw-r--r--source4/auth/credentials/credentials.h25
-rw-r--r--source4/auth/credentials/credentials.i33
-rw-r--r--source4/auth/credentials/credentials.py93
-rw-r--r--source4/auth/credentials/credentials_files.c14
-rw-r--r--source4/auth/credentials/credentials_krb5.c35
-rw-r--r--source4/auth/credentials/credentials_krb5.h1
-rw-r--r--source4/auth/credentials/credentials_ntlm.c52
-rw-r--r--source4/auth/credentials/credentials_wrap.c140
-rw-r--r--source4/auth/credentials/tests/bindings.py2
-rw-r--r--source4/auth/gensec/config.mk30
-rw-r--r--source4/auth/gensec/gensec.c23
-rw-r--r--source4/auth/gensec/gensec_gssapi.c14
-rw-r--r--source4/auth/gensec/gensec_krb5.c16
-rw-r--r--source4/auth/gensec/schannel.c5
-rw-r--r--source4/auth/gensec/schannel_state.c11
-rw-r--r--source4/auth/kerberos/config.mk5
-rw-r--r--source4/auth/ntlm/auth.c (renamed from source4/auth/auth.c)4
-rw-r--r--source4/auth/ntlm/auth_anonymous.c (renamed from source4/auth/auth_anonymous.c)2
-rw-r--r--source4/auth/ntlm/auth_developer.c (renamed from source4/auth/auth_developer.c)2
-rw-r--r--source4/auth/ntlm/auth_proto.h50
-rw-r--r--source4/auth/ntlm/auth_sam.c (renamed from source4/auth/auth_sam.c)5
-rw-r--r--source4/auth/ntlm/auth_server.c225
-rw-r--r--source4/auth/ntlm/auth_simple.c (renamed from source4/auth/auth_simple.c)2
-rw-r--r--source4/auth/ntlm/auth_unix.c (renamed from source4/auth/auth_unix.c)4
-rw-r--r--source4/auth/ntlm/auth_util.c (renamed from source4/auth/auth_util.c)0
-rw-r--r--source4/auth/ntlm/auth_winbind.c (renamed from source4/auth/auth_winbind.c)2
-rw-r--r--source4/auth/ntlm/config.mk86
-rw-r--r--source4/auth/ntlm/ntlm_check.c (renamed from source4/auth/ntlm_check.c)1
-rw-r--r--source4/auth/ntlm/ntlm_check.h75
-rw-r--r--source4/auth/ntlm/pam_errors.c (renamed from source4/auth/pam_errors.c)0
-rw-r--r--source4/auth/ntlm/pam_errors.h47
-rw-r--r--source4/auth/ntlmssp/config.mk12
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c2
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c4
-rw-r--r--source4/auth/sam.c3
-rw-r--r--source4/auth/session.c8
-rw-r--r--source4/auth/session.h17
-rw-r--r--source4/auth/system_session.c7
-rw-r--r--source4/auth/tests/bindings.py2
45 files changed, 995 insertions, 667 deletions
diff --git a/source4/auth/auth.py b/source4/auth/auth.py
index 88675f3626..1a7aa6d0e7 100644
--- a/source4/auth/auth.py
+++ b/source4/auth/auth.py
@@ -1,5 +1,5 @@
# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.33
+# Version 1.3.35
#
# Don't modify this file, modify the SWIG interface instead.
diff --git a/source4/auth/auth_server.c b/source4/auth/auth_server.c
deleted file mode 100644
index f200ad9665..0000000000
--- a/source4/auth/auth_server.c
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Authenticate to a remote server
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Andrew Bartlett 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-
-/****************************************************************************
- Support for server level security.
-****************************************************************************/
-
-static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx, bool unicode, int maxprotocol, struct resolve_context *resolve_ctx)
-{
- struct smbcli_state *cli = NULL;
- fstring desthost;
- struct in_addr dest_ip;
- const char *p;
- char *pserver;
- bool connected_ok = false;
-
- if (!(cli = smbcli_initialise(cli)))
- return NULL;
-
- /* security = server just can't function with spnego */
- cli->use_spnego = false;
-
- pserver = talloc_strdup(mem_ctx, lp_passwordserver());
- p = pserver;
-
- while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
- strupper(desthost);
-
- if(!resolve_name(resolve_ctx, desthost, &dest_ip, 0x20)) {
- DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
- continue;
- }
-
- if (ismyip(dest_ip)) {
- DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
- continue;
- }
-
- /* we use a mutex to prevent two connections at once - when a
- Win2k PDC get two connections where one hasn't completed a
- session setup yet it will send a TCP reset to the first
- connection (tridge) */
-
- if (!grab_server_mutex(desthost)) {
- return NULL;
- }
-
- if (smbcli_connect(cli, desthost, &dest_ip)) {
- DEBUG(3,("connected to password server %s\n",desthost));
- connected_ok = true;
- break;
- }
- }
-
- if (!connected_ok) {
- release_server_mutex();
- DEBUG(0,("password server not available\n"));
- talloc_free(cli);
- return NULL;
- }
-
- if (!attempt_netbios_session_request(cli, lp_netbios_name(),
- desthost, &dest_ip)) {
- release_server_mutex();
- DEBUG(1,("password server fails session request\n"));
- talloc_free(cli);
- return NULL;
- }
-
- if (strequal(desthost,myhostname(mem_ctx))) {
- exit_server("Password server loop!");
- }
-
- DEBUG(3,("got session\n"));
-
- if (!smbcli_negprot(cli, unicode, maxprotocol)) {
- DEBUG(1,("%s rejected the negprot\n",desthost));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
-
- if (cli->protocol < PROTOCOL_LANMAN2 ||
- !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
- DEBUG(1,("%s isn't in user level security mode\n",desthost));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
-
- /* Get the first session setup done quickly, to avoid silly
- Win2k bugs. (The next connection to the server will kill
- this one...
- */
-
- if (!smbcli_session_setup(cli, "", "", 0, "", 0,
- "")) {
- DEBUG(0,("%s rejected the initial session setup (%s)\n",
- desthost, smbcli_errstr(cli)));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
-
- release_server_mutex();
-
- DEBUG(3,("password server OK\n"));
-
- return cli;
-}
-
-/****************************************************************************
- Clean up our allocated cli.
-****************************************************************************/
-
-static void free_server_private_data(void **private_data_pointer)
-{
- struct smbcli_state **cli = (struct smbcli_state **)private_data_pointer;
- if (*cli && (*cli)->initialised) {
- talloc_free(*cli);
- }
-}
-
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx)
-{
- struct smbcli_state *cli = server_cryptkey(mem_ctx, lp_cli_maxprotocol(auth_context->lp_ctx));
-
- if (cli) {
- DEBUG(3,("using password server validation\n"));
-
- if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- /* We can't work with unencrypted password servers
- unless 'encrypt passwords = no' */
- DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
-
- /* However, it is still a perfectly fine connection
- to pass that unencrypted password over */
- *my_private_data = (void *)cli;
- return data_blob(NULL, 0);
-
- } else if (cli->secblob.length < 8) {
- /* We can't do much if we don't get a full challenge */
- DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n"));
- talloc_free(cli);
- return data_blob(NULL, 0);
- }
-
- *my_private_data = (void *)cli;
-
- /* The return must be allocated on the caller's mem_ctx, as our own will be
- destoyed just after the call. */
- return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8);
- } else {
- return data_blob(NULL, 0);
- }
-}
-
-
-/****************************************************************************
- Check for a valid username and password in security=server mode.
- - Validate a password with the password server.
-****************************************************************************/
-
-static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
-{
- struct smbcli_state *cli;
- static uint8_t badpass[24];
- static fstring baduser;
- static bool tested_password_server = false;
- static bool bad_password_server = false;
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- bool locally_made_cli = false;
-
- /*
- * Check that the requested domain is not our own machine name.
- * If it is, we should never check the PDC here, we use our own local
- * password file.
- */
-
- if (lp_is_myname(auth_context->lp_ctx, user_info->domain.str)) {
- DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- cli = my_private_data;
-
- if (cli) {
- } else {
- cli = server_cryptkey(mem_ctx, lp_unicode(auth_context->lp_ctx), lp_cli_maxprotocol(auth_context->lp_ctx), lp_resolve_context(auth_context->lp_ctx));
- locally_made_cli = true;
- }
-
- if (!cli || !cli->initialised) {
- DEBUG(1,("password server is not connected (cli not initilised)\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- if (user_info->encrypted) {
- DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
- return NT_STATUS_LOGON_FAILURE;
- }
- } else {
- if (memcmp(cli->secblob.data, auth_context->challenge.data, 8) != 0) {
- DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
-
- if(badpass[0] == 0)
- memset(badpass, 0x1f, sizeof(badpass));
-
- if((user_info->nt_resp.length == sizeof(badpass)) &&
- !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
- /*
- * Very unlikely, our random bad password is the same as the users
- * password.
- */
- memset(badpass, badpass[0]+1, sizeof(badpass));
- }
-
- if(baduser[0] == 0) {
- fstrcpy(baduser, INVALID_USER_PREFIX);
- fstrcat(baduser, lp_netbios_name());
- }
-
- /*
- * Attempt a session setup with a totally incorrect password.
- * If this succeeds with the guest bit *NOT* set then the password
- * server is broken and is not correctly setting the guest bit. We
- * need to detect this as some versions of NT4.x are broken. JRA.
- */
-
- /* I sure as hell hope that there aren't servers out there that take
- * NTLMv2 and have this bug, as we don't test for that...
- * - abartlet@samba.org
- */
-
- if ((!tested_password_server) && (lp_paranoid_server_security())) {
- if (smbcli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass),
- (char *)badpass, sizeof(badpass), user_info->domain.str)) {
-
- /*
- * We connected to the password server so we
- * can say we've tested it.
- */
- tested_password_server = true;
-
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
- DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- smbcli_ulogoff(cli);
-
- /*
- * Password server has the bug.
- */
- bad_password_server = true;
- return NT_STATUS_LOGON_FAILURE;
- }
- smbcli_ulogoff(cli);
- }
- } else {
-
- /*
- * We have already tested the password server.
- * Fail immediately if it has the bug.
- */
-
- if(bad_password_server) {
- DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
-
- /*
- * Now we know the password server will correctly set the guest bit, or is
- * not guest enabled, we can try with the real password.
- */
-
- if (!user_info->encrypted) {
- /* Plaintext available */
- if (!smbcli_session_setup(cli, user_info->smb_name.str,
- (char *)user_info->plaintext_password.data,
- user_info->plaintext_password.length,
- NULL, 0,
- user_info->domain.str)) {
- DEBUG(1,("password server %s rejected the password\n", cli->desthost));
- /* Make this smbcli_nt_error() when the conversion is in */
- nt_status = smbcli_nt_error(cli);
- } else {
- nt_status = NT_STATUS_OK;
- }
- } else {
- if (!smbcli_session_setup(cli, user_info->smb_name.str,
- (char *)user_info->lm_resp.data,
- user_info->lm_resp.length,
- (char *)user_info->nt_resp.data,
- user_info->nt_resp.length,
- user_info->domain.str)) {
- DEBUG(1,("password server %s rejected the password\n", cli->desthost));
- /* Make this smbcli_nt_error() when the conversion is in */
- nt_status = smbcli_nt_error(cli);
- } else {
- nt_status = NT_STATUS_OK;
- }
- }
-
- /* if logged in as guest then reject */
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
- DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
- nt_status = NT_STATUS_LOGON_FAILURE;
- }
-
- smbcli_ulogoff(cli);
-
- if NT_STATUS_IS_OK(nt_status) {
- struct passwd *pass = Get_Pwnam(user_info->internal_username.str);
- if (pass) {
- nt_status = make_server_info_pw(auth_context, server_info, pass);
- } else {
- nt_status = NT_STATUS_NO_SUCH_USER;
- }
- }
-
- if (locally_made_cli) {
- talloc_free(cli);
- }
-
- return(nt_status);
-}
-
-NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->name = "smbserver";
- (*auth_method)->auth = check_smbserver_security;
- (*auth_method)->get_chal = auth_get_challenge_server;
- (*auth_method)->send_keepalive = send_server_keepalive;
- (*auth_method)->free_private_data = free_server_private_data;
- return NT_STATUS_OK;
-}
diff --git a/source4/auth/auth_wrap.c b/source4/auth/auth_wrap.c
index af1827adc9..dea76ef87d 100644
--- a/source4/auth/auth_wrap.c
+++ b/source4/auth/auth_wrap.c
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------------
* This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.33
+ * Version 1.3.35
*
* This file is not intended to be easily readable and contains a number of
* coding conventions designed to improve portability and efficiency. Do not make
@@ -126,7 +126,7 @@
/* This should only be incremented when either the layout of swig_type_info changes,
or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "3"
+#define SWIG_RUNTIME_VERSION "4"
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
#ifdef SWIG_TYPE_TABLE
@@ -161,6 +161,7 @@
/* Flags for pointer conversions */
#define SWIG_POINTER_DISOWN 0x1
+#define SWIG_CAST_NEW_MEMORY 0x2
/* Flags for new pointer objects */
#define SWIG_POINTER_OWN 0x1
@@ -301,10 +302,10 @@ SWIGINTERNINLINE int SWIG_CheckState(int r) {
extern "C" {
#endif
-typedef void *(*swig_converter_func)(void *);
+typedef void *(*swig_converter_func)(void *, int *);
typedef struct swig_type_info *(*swig_dycast_func)(void **);
-/* Structure to store inforomation on one type */
+/* Structure to store information on one type */
typedef struct swig_type_info {
const char *name; /* mangled name of this type */
const char *str; /* human readable name of this type */
@@ -431,8 +432,8 @@ SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
Cast a pointer up an inheritance hierarchy
*/
SWIGRUNTIMEINLINE void *
-SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
- return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
+SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) {
+ return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory);
}
/*
@@ -856,7 +857,7 @@ SWIG_Python_AddErrorMsg(const char* mesg)
Py_DECREF(old_str);
Py_DECREF(value);
} else {
- PyErr_Format(PyExc_RuntimeError, mesg);
+ PyErr_SetString(PyExc_RuntimeError, mesg);
}
}
@@ -1416,7 +1417,7 @@ PySwigObject_dealloc(PyObject *v)
{
PySwigObject *sobj = (PySwigObject *) v;
PyObject *next = sobj->next;
- if (sobj->own) {
+ if (sobj->own == SWIG_POINTER_OWN) {
swig_type_info *ty = sobj->ty;
PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
PyObject *destroy = data ? data->destroy : 0;
@@ -1434,12 +1435,13 @@ PySwigObject_dealloc(PyObject *v)
res = ((*meth)(mself, v));
}
Py_XDECREF(res);
- } else {
- const char *name = SWIG_TypePrettyName(ty);
+ }
#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
- printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
-#endif
+ else {
+ const char *name = SWIG_TypePrettyName(ty);
+ printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown"));
}
+#endif
}
Py_XDECREF(next);
PyObject_DEL(v);
@@ -1944,7 +1946,7 @@ SWIG_Python_GetSwigThis(PyObject *pyobj)
SWIGRUNTIME int
SWIG_Python_AcquirePtr(PyObject *obj, int own) {
- if (own) {
+ if (own == SWIG_POINTER_OWN) {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
if (sobj) {
int oldown = sobj->own;
@@ -1965,6 +1967,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
return SWIG_OK;
} else {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+ if (own)
+ *own = 0;
while (sobj) {
void *vptr = sobj->ptr;
if (ty) {
@@ -1978,7 +1982,15 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
if (!tc) {
sobj = (PySwigObject *)sobj->next;
} else {
- if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
+ if (ptr) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ if (newmemory == SWIG_CAST_NEW_MEMORY) {
+ assert(own);
+ if (own)
+ *own = *own | SWIG_CAST_NEW_MEMORY;
+ }
+ }
break;
}
}
@@ -1988,7 +2000,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
}
}
if (sobj) {
- if (own) *own = sobj->own;
+ if (own)
+ *own = *own | sobj->own;
if (flags & SWIG_POINTER_DISOWN) {
sobj->own = 0;
}
@@ -2053,8 +2066,13 @@ SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
}
if (ty) {
swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
- if (!tc) return SWIG_ERROR;
- *ptr = SWIG_TypeCast(tc,vptr);
+ if (tc) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ assert(!newmemory); /* newmemory handling not yet implemented */
+ } else {
+ return SWIG_ERROR;
+ }
} else {
*ptr = vptr;
}
@@ -2505,7 +2523,7 @@ static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0};
#define SWIG_name "_auth"
-#define SWIGVERSION 0x010333
+#define SWIGVERSION 0x010335
#define SWIG_VERSION SWIGVERSION
@@ -2733,7 +2751,7 @@ SWIGRUNTIME void
SWIG_InitializeModule(void *clientdata) {
size_t i;
swig_module_info *module_head, *iter;
- int found;
+ int found, init;
clientdata = clientdata;
@@ -2743,6 +2761,9 @@ SWIG_InitializeModule(void *clientdata) {
swig_module.type_initial = swig_type_initial;
swig_module.cast_initial = swig_cast_initial;
swig_module.next = &swig_module;
+ init = 1;
+ } else {
+ init = 0;
}
/* Try and load any already created modules */
@@ -2771,6 +2792,12 @@ SWIG_InitializeModule(void *clientdata) {
module_head->next = &swig_module;
}
+ /* When multiple interpeters are used, a module could have already been initialized in
+ a different interpreter, but not yet have a pointer in this interpreter.
+ In this case, we do not want to continue adding types... everything should be
+ set up already */
+ if (init == 0) return;
+
/* Now work on filling in swig_module.types */
#ifdef SWIGRUNTIME_DEBUG
printf("SWIG_InitializeModule: size %d\n", swig_module.size);
diff --git a/source4/auth/config.mk b/source4/auth/config.mk
index 7d4678b7ac..f13c2e5758 100644
--- a/source4/auth/config.mk
+++ b/source4/auth/config.mk
@@ -1,107 +1,48 @@
# auth server subsystem
+gensecsrcdir := $(authsrcdir)/gensec
mkinclude gensec/config.mk
mkinclude kerberos/config.mk
mkinclude ntlmssp/config.mk
+mkinclude ntlm/config.mk
mkinclude credentials/config.mk
[SUBSYSTEM::auth_session]
-PRIVATE_PROTO_HEADER = session_proto.h
PUBLIC_DEPENDENCIES = CREDENTIALS
-# PUBLIC_HEADERS += auth/session.h
+PUBLIC_HEADERS += $(authsrcdir)/session.h
-auth_session_OBJ_FILES = $(addprefix auth/, session.o)
+auth_session_OBJ_FILES = $(addprefix $(authsrcdir)/, session.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/session_proto.h,$(auth_session_OBJ_FILES:.o=.c)))
[SUBSYSTEM::auth_system_session]
-PRIVATE_PROTO_HEADER = system_session_proto.h
PUBLIC_DEPENDENCIES = CREDENTIALS
PRIVATE_DEPENDENCIES = auth_session LIBSAMBA-UTIL LIBSECURITY
-auth_system_session_OBJ_FILES = $(addprefix auth/, system_session.o)
+auth_system_session_OBJ_FILES = $(addprefix $(authsrcdir)/, system_session.o)
+$(eval $(call proto_header_template,$(authsrcdir)/system_session_proto.h,$(auth_system_session_OBJ_FILES:.o=.c)))
[SUBSYSTEM::auth_sam]
-PRIVATE_PROTO_HEADER = auth_sam.h
PUBLIC_DEPENDENCIES = SAMDB UTIL_LDB LIBSECURITY
PRIVATE_DEPENDENCIES = LDAP_ENCODE
-auth_sam_OBJ_FILES = $(addprefix auth/, sam.o ntlm_check.o)
+auth_sam_OBJ_FILES = $(addprefix $(authsrcdir)/, sam.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/auth_sam.h,$(auth_sam_OBJ_FILES:.o=.c)))
[SUBSYSTEM::auth_sam_reply]
-PRIVATE_PROTO_HEADER = auth_sam_reply.h
-
-auth_sam_reply_OBJ_FILES = $(addprefix auth/, auth_sam_reply.o)
-
-#######################
-# Start MODULE auth_sam
-[MODULE::auth_sam_module]
-# gensec_krb5 and gensec_gssapi depend on it
-INIT_FUNCTION = auth_sam_init
-SUBSYSTEM = auth
-PRIVATE_DEPENDENCIES = \
- SAMDB auth_sam
-# End MODULE auth_sam
-#######################
-
-auth_sam_module_OBJ_FILES = $(addprefix auth/, auth_sam.o)
-
-#######################
-# Start MODULE auth_anonymous
-[MODULE::auth_anonymous]
-INIT_FUNCTION = auth_anonymous_init
-SUBSYSTEM = auth
-# End MODULE auth_anonymous
-#######################
-
-auth_anonymous_OBJ_FILES = $(addprefix auth/, auth_anonymous.o)
-
-#######################
-# Start MODULE auth_winbind
-[MODULE::auth_winbind]
-INIT_FUNCTION = auth_winbind_init
-SUBSYSTEM = auth
-PRIVATE_DEPENDENCIES = NDR_WINBIND MESSAGING LIBWINBIND-CLIENT
-# End MODULE auth_winbind
-#######################
-
-auth_winbind_OBJ_FILES = $(addprefix auth/, auth_winbind.o)
-
-#######################
-# Start MODULE auth_developer
-[MODULE::auth_developer]
-INIT_FUNCTION = auth_developer_init
-SUBSYSTEM = auth
-# End MODULE auth_developer
-#######################
-
-auth_developer_OBJ_FILES = $(addprefix auth/, auth_developer.o)
-
-[MODULE::auth_unix]
-INIT_FUNCTION = auth_unix_init
-SUBSYSTEM = auth
-PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER
-
-auth_unix_OBJ_FILES = $(addprefix auth/, auth_unix.o)
-
-[SUBSYSTEM::PAM_ERRORS]
-PRIVATE_PROTO_HEADER = pam_errors.h
-
-#VERSION = 0.0.1
-#SO_VERSION = 0
-PAM_ERRORS_OBJ_FILES = $(addprefix auth/, pam_errors.o)
-
-[MODULE::auth]
-INIT_FUNCTION = server_service_auth_init
-SUBSYSTEM = service
-PRIVATE_PROTO_HEADER = auth_proto.h
-PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS
-
-auth_OBJ_FILES = $(addprefix auth/, auth.o auth_util.o auth_simple.o)
-
-# PUBLIC_HEADERS += auth/auth.h
+
+auth_sam_reply_OBJ_FILES = $(addprefix $(authsrcdir)/, auth_sam_reply.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/auth_sam_reply.h,$(auth_sam_reply_OBJ_FILES:.o=.c)))
[PYTHON::swig_auth]
+LIBRARY_REALNAME = samba/_auth.$(SHLIBEXT)
PUBLIC_DEPENDENCIES = auth_system_session
PRIVATE_DEPENDENCIES = SAMDB
-SWIG_FILE = auth.i
-swig_auth_OBJ_FILES = auth/auth_wrap.o
+$(eval $(call python_py_module_template,samba/auth.py,$(authsrcdir)/auth.py))
+
+swig_auth_OBJ_FILES = $(authsrcdir)/auth_wrap.o
+
+$(swig_auth_OBJ_FILES): CFLAGS+=$(CFLAG_NO_UNUSED_MACROS) $(CFLAG_NO_CAST_QUAL)
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk
index 6f3ec3997c..2eeeec20ec 100644
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -1,18 +1,24 @@
#################################
# Start SUBSYSTEM CREDENTIALS
[SUBSYSTEM::CREDENTIALS]
-PRIVATE_PROTO_HEADER = credentials_proto.h
PUBLIC_DEPENDENCIES = \
LIBCLI_AUTH SECRETS LIBCRYPTO KERBEROS UTIL_LDB HEIMDAL_GSSAPI
PRIVATE_DEPENDENCIES = \
SECRETS
-CREDENTIALS_OBJ_FILES = $(addprefix auth/credentials/, credentials.o credentials_files.o credentials_ntlm.o credentials_krb5.o ../kerberos/kerberos_util.o)
-PUBLIC_HEADERS += auth/credentials/credentials.h
+CREDENTIALS_OBJ_FILES = $(addprefix $(authsrcdir)/credentials/, credentials.o credentials_files.o credentials_ntlm.o credentials_krb5.o ../kerberos/kerberos_util.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/credentials/credentials_proto.h,$(CREDENTIALS_OBJ_FILES:.o=.c)))
+
+PUBLIC_HEADERS += $(authsrcdir)/credentials/credentials.h
[PYTHON::swig_credentials]
+LIBRARY_REALNAME = samba/_credentials.$(SHLIBEXT)
PUBLIC_DEPENDENCIES = CREDENTIALS LIBCMDLINE_CREDENTIALS
-SWIG_FILE = credentials.i
-swig_credentials_OBJ_FILES = auth/credentials/credentials_wrap.o
+$(eval $(call python_py_module_template,samba/credentials.py,$(authsrcdir)/credentials/credentials.py))
+
+swig_credentials_OBJ_FILES = $(authsrcdir)/credentials/credentials_wrap.o
+
+$(swig_credentials_OBJ_FILES): CFLAGS+=$(CFLAG_NO_UNUSED_MACROS) $(CFLAG_NO_CAST_QUAL)
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index 89dddc9e05..adabe49cb4 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -65,7 +65,6 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->tries = 3;
cred->callback_running = false;
- cred->ev = NULL;
cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
cli_credentials_set_gensec_features(cred, 0);
@@ -307,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
cred->nt_hash = NULL;
+ cred->lm_response = data_blob(NULL, 0);
+ cred->nt_response = data_blob(NULL, 0);
return true;
}
@@ -377,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
}
}
-_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
- const struct samr_Password *nt_hash,
- enum credentials_obtained obtained)
-{
- if (obtained >= cred->password_obtained) {
- cli_credentials_set_password(cred, NULL, obtained);
- if (nt_hash) {
- cred->nt_hash = talloc(cred, struct samr_Password);
- *cred->nt_hash = *nt_hash;
- } else {
- cred->nt_hash = NULL;
- }
- return true;
- }
-
- return false;
-}
-
/**
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
* @param cred credentials context
@@ -675,7 +658,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
}
if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
- cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE);
+ cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE);
}
}
@@ -775,22 +758,3 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
return (cred->tries > 0);
}
-
-/*
- set the common event context for this set of credentials
- */
-_PUBLIC_ void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev)
-{
- cred->ev = ev;
-}
-
-/*
- set the common event context for this set of credentials
- */
-_PUBLIC_ struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred)
-{
- if (cred->ev == NULL) {
- cred->ev = event_context_find(cred);
- }
- return cred->ev;
-}
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index afcb300638..79c50ae5af 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -26,6 +26,7 @@
#include "librpc/gen_ndr/misc.h"
struct ccache_container;
+struct event_context;
/* In order of priority */
enum credentials_obtained {
@@ -79,8 +80,13 @@ struct cli_credentials {
const char *bind_dn;
+ /* Allows authentication from a keytab or similar */
struct samr_Password *nt_hash;
+ /* Allows NTLM pass-though authentication */
+ DATA_BLOB lm_response;
+ DATA_BLOB nt_response;
+
struct ccache_container *ccache;
struct gssapi_creds_container *client_gss_creds;
struct keytab_container *keytab;
@@ -121,9 +127,6 @@ struct cli_credentials {
/* Whether any callback is currently running */
bool callback_running;
-
- /* an event context for anyone wanting to use the credentials */
- struct event_context *ev;
};
struct ldb_context;
@@ -152,12 +155,15 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
const char *cli_credentials_get_realm(struct cli_credentials *cred);
const char *cli_credentials_get_username(struct cli_credentials *cred);
int cli_credentials_get_krb5_context(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context);
int cli_credentials_get_ccache(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **ccc);
int cli_credentials_get_keytab(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc);
const char *cli_credentials_get_domain(struct cli_credentials *cred);
@@ -168,15 +174,15 @@ void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
-void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev);
void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos);
-struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred);
bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
@@ -199,6 +205,7 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
struct smb_krb5_context *smb_krb5_context);
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *serviceprincipal);
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
@@ -219,15 +226,22 @@ void cli_credentials_set_kvno(struct cli_credentials *cred,
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
+bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ enum credentials_obtained obtained);
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained);
int cli_credentials_update_keytab(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx);
void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
int cli_credentials_set_ccache(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained);
@@ -239,6 +253,7 @@ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
diff --git a/source4/auth/credentials/credentials.i b/source4/auth/credentials/credentials.i
index 152d2e673c..89eb4924b3 100644
--- a/source4/auth/credentials/credentials.i
+++ b/source4/auth/credentials/credentials.i
@@ -59,36 +59,53 @@ typedef struct cli_credentials {
return cli_credentials_init(NULL);
}
/* username */
+ %feature("docstring") get_username "S.get_username() -> username\nObtain username.";
const char *get_username(void);
+ %feature("docstring") set_username "S.set_username(name, obtained=CRED_SPECIFIED) -> None\nChange username.";
bool set_username(const char *value,
- enum credentials_obtained=CRED_SPECIFIED);
+ enum credentials_obtained obtained=CRED_SPECIFIED);
/* password */
+ %feature("docstring") get_password "S.get_password() -> password\n" \
+ "Obtain password.";
const char *get_password(void);
+ %feature("docstring") set_password "S.set_password(password, obtained=CRED_SPECIFIED) -> None\n" \
+ "Change password.";
bool set_password(const char *val,
- enum credentials_obtained=CRED_SPECIFIED);
+ enum credentials_obtained obtained=CRED_SPECIFIED);
/* domain */
+ %feature("docstring") get_password "S.get_domain() -> domain\nObtain domain name.";
const char *get_domain(void);
+ %feature("docstring") set_domain "S.set_domain(domain, obtained=CRED_SPECIFIED) -> None\n" \
+ "Change domain name.";
bool set_domain(const char *val,
- enum credentials_obtained=CRED_SPECIFIED);
+ enum credentials_obtained obtained=CRED_SPECIFIED);
/* realm */
+ %feature("docstring") get_realm "S.get_realm() -> realm\nObtain realm name.";
const char *get_realm(void);
+ %feature("docstring") set_realm "S.set_realm(realm, obtained=CRED_SPECIFIED) -> None\n" \
+ "Change realm name.";
bool set_realm(const char *val,
- enum credentials_obtained=CRED_SPECIFIED);
+ enum credentials_obtained obtained=CRED_SPECIFIED);
- /* Kerberos */
+ /* Kerberos */
void set_kerberos_state(enum credentials_use_kerberos use_kerberos);
+ %feature("docstring") parse_string "S.parse_string(text, obtained=CRED_SPECIFIED) -> None\n" \
+ "Parse credentials string.";
void parse_string(const char *text,
- enum credentials_obtained=CRED_SPECIFIED);
+ enum credentials_obtained obtained=CRED_SPECIFIED);
/* bind dn */
+ %feature("docstring") get_bind_dn "S.get_bind_dn() -> bind dn\nObtain bind DN.";
const char *get_bind_dn(void);
+ %feature("docstring") set_bind_dn "S.set_bind_dn(bind_dn) -> None\nChange bind DN.";
bool set_bind_dn(const char *bind_dn);
- void set_anonymous();
+ %feature("docstring") set_anonymous "S.set_anonymous() -> None\nUse anonymous credentials.";
+ void set_anonymous();
/* workstation name */
const char *get_workstation(void);
@@ -104,8 +121,10 @@ typedef struct cli_credentials {
bool authentication_requested(void);
+ %feature("docstring") wrong_password "S.wrong_password() -> bool\nIndicate the returned password was incorrect.";
bool wrong_password(void);
+ %feature("docstring") set_cmdline_callbacks "S.set_cmdline_callbacks() -> bool\nUse command-line to obtain credentials not explicitly set.";
bool set_cmdline_callbacks();
}
} cli_credentials;
diff --git a/source4/auth/credentials/credentials.py b/source4/auth/credentials/credentials.py
index ba0000dcda..fd00a8e6f0 100644
--- a/source4/auth/credentials/credentials.py
+++ b/source4/auth/credentials/credentials.py
@@ -1,5 +1,5 @@
# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.33
+# Version 1.3.35
#
# Don't modify this file, modify the SWIG interface instead.
@@ -66,6 +66,97 @@ class Credentials(object):
__repr__ = _swig_repr
def __init__(self, *args, **kwargs):
_credentials.Credentials_swiginit(self,_credentials.new_Credentials(*args, **kwargs))
+ def get_username(*args, **kwargs):
+ """
+ S.get_username() -> username
+ Obtain username.
+ """
+ return _credentials.Credentials_get_username(*args, **kwargs)
+
+ def set_username(*args, **kwargs):
+ """
+ S.set_username(name, obtained=CRED_SPECIFIED) -> None
+ Change username.
+ """
+ return _credentials.Credentials_set_username(*args, **kwargs)
+
+ def get_password(*args, **kwargs):
+ """
+ S.get_password() -> password
+ Obtain password.
+ """
+ return _credentials.Credentials_get_password(*args, **kwargs)
+
+ def set_password(*args, **kwargs):
+ """
+ S.set_password(password, obtained=CRED_SPECIFIED) -> None
+ Change password.
+ """
+ return _credentials.Credentials_set_password(*args, **kwargs)
+
+ def set_domain(*args, **kwargs):
+ """
+ S.set_domain(domain, obtained=CRED_SPECIFIED) -> None
+ Change domain name.
+ """
+ return _credentials.Credentials_set_domain(*args, **kwargs)
+
+ def get_realm(*args, **kwargs):
+ """
+ S.get_realm() -> realm
+ Obtain realm name.
+ """
+ return _credentials.Credentials_get_realm(*args, **kwargs)
+
+ def set_realm(*args, **kwargs):
+ """
+ S.set_realm(realm, obtained=CRED_SPECIFIED) -> None
+ Change realm name.
+ """
+ return _credentials.Credentials_set_realm(*args, **kwargs)
+
+ def parse_string(*args, **kwargs):
+ """
+ S.parse_string(text, obtained=CRED_SPECIFIED) -> None
+ Parse credentials string.
+ """
+ return _credentials.Credentials_parse_string(*args, **kwargs)
+
+ def get_bind_dn(*args, **kwargs):
+ """
+ S.get_bind_dn() -> bind dn
+ Obtain bind DN.
+ """
+ return _credentials.Credentials_get_bind_dn(*args, **kwargs)
+
+ def set_bind_dn(*args, **kwargs):
+ """
+ S.set_bind_dn(bind_dn) -> None
+ Change bind DN.
+ """
+ return _credentials.Credentials_set_bind_dn(*args, **kwargs)
+
+ def set_anonymous(*args, **kwargs):
+ """
+ S.set_anonymous() -> None
+ Use anonymous credentials.
+ """
+ return _credentials.Credentials_set_anonymous(*args, **kwargs)
+
+ def wrong_password(*args, **kwargs):
+ """
+ S.wrong_password() -> bool
+ Indicate the returned password was incorrect.
+ """
+ return _credentials.Credentials_wrong_password(*args, **kwargs)
+
+ def set_cmdline_callbacks(*args, **kwargs):
+ """
+ S.set_cmdline_callbacks() -> bool
+ Use command-line to obtain credentials not explicitly set.
+ """
+ return _credentials.Credentials_set_cmdline_callbacks(*args, **kwargs)
+
__swig_destroy__ = _credentials.delete_Credentials
Credentials.get_username = new_instancemethod(_credentials.Credentials_get_username,None,Credentials)
Credentials.set_username = new_instancemethod(_credentials.Credentials_set_username,None,Credentials)
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 1bbdf8a5ad..ab76ea2cde 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -30,6 +30,7 @@
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include "param/param.h"
+#include "lib/events/events.h"
/**
* Read a file descriptor, and parse it for a password (eg from a file or stdin)
@@ -169,6 +170,7 @@ _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const cha
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
@@ -305,13 +307,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
* (chewing CPU time) from the password */
keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL);
if (keytab) {
- cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab));
if (keytab) {
- cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
}
}
}
@@ -336,7 +338,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, lp_ctx, NULL,
+ return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
}
@@ -348,6 +350,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
char *filter;
@@ -358,7 +361,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, lp_ctx, NULL,
+ return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
}
@@ -370,6 +373,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
@@ -382,7 +386,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, lp_ctx, NULL,
+ return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
}
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index cd9285b09d..3bc1764448 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -30,6 +30,7 @@
#include "param/param.h"
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
@@ -39,8 +40,7 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
return 0;
}
- ret = smb_krb5_init_context(cred, cli_credentials_get_event_context(cred),
- lp_ctx, &cred->smb_krb5_context);
+ ret = smb_krb5_init_context(cred, event_ctx, lp_ctx, &cred->smb_krb5_context);
if (ret) {
cred->smb_krb5_context = NULL;
return ret;
@@ -128,6 +128,7 @@ static int free_dccache(struct ccache_container *ccc) {
}
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained)
@@ -144,7 +145,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
@@ -203,6 +204,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
static int cli_credentials_new_ccache(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **_ccc)
{
@@ -221,7 +223,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
@@ -253,6 +255,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
}
_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **ccc)
{
@@ -271,7 +274,7 @@ _PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_new_ccache(cred, lp_ctx, ccc);
+ ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccc);
if (ret) {
return ret;
}
@@ -348,6 +351,7 @@ static int free_gssapi_creds(struct gssapi_creds_container *gcc)
}
_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc)
{
@@ -360,7 +364,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
*_gcc = cred->client_gss_creds;
return 0;
}
- ret = cli_credentials_get_ccache(cred, lp_ctx,
+ ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache);
if (ret) {
DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret)));
@@ -402,6 +406,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
*/
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained)
@@ -419,7 +424,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_new_ccache(cred, lp_ctx, &ccc);
+ ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, &ccc);
if (ret != 0) {
return ret;
}
@@ -456,6 +461,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
* it will be generated from the password.
*/
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc)
{
@@ -475,7 +481,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
&smb_krb5_context);
if (ret) {
return ret;
@@ -510,6 +516,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
* FILE:/etc/krb5.keytab), open it and attach it */
_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained)
@@ -523,7 +530,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
@@ -549,6 +556,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
}
_PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
krb5_error_code ret;
@@ -562,7 +570,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -570,7 +578,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
enctype_strings = cli_credentials_get_enctype_strings(cred);
- ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc);
+ ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
@@ -585,6 +593,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
/* Get server gss credentials (in gsskrb5, this means the keytab) */
_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc)
{
@@ -603,12 +612,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
- ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc);
+ ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
if (ret) {
DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret)));
return ret;
diff --git a/source4/auth/credentials/credentials_krb5.h b/source4/auth/credentials/credentials_krb5.h
index aaa7d7f0da..f672b0ad9a 100644
--- a/source4/auth/credentials/credentials_krb5.h
+++ b/source4/auth/credentials/credentials_krb5.h
@@ -32,6 +32,7 @@ struct gssapi_creds_container {
/* Manually prototyped here to avoid needing gss headers in most callers */
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained);
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index b88f2018df..22e273c35a 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -52,6 +52,20 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
const struct samr_Password *nt_hash;
lm_session_key = data_blob(NULL, 0);
+ /* We may already have an NTLM response we prepared earlier.
+ * This is used for NTLM pass-though authentication */
+ if (cred->nt_response.data || cred->lm_response.data) {
+ *_nt_response = cred->nt_response;
+ *_lm_response = cred->lm_response;
+
+ if (!cred->lm_response.data) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+ *_lm_session_key = data_blob(NULL, 0);
+ *_session_key = data_blob(NULL, 0);
+ return NT_STATUS_OK;
+ }
+
nt_hash = cli_credentials_get_nt_hash(cred, mem_ctx);
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
@@ -215,3 +229,41 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
return NT_STATUS_OK;
}
+_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
+ const struct samr_Password *nt_hash,
+ enum credentials_obtained obtained)
+{
+ if (obtained >= cred->password_obtained) {
+ cli_credentials_set_password(cred, NULL, obtained);
+ if (nt_hash) {
+ cred->nt_hash = talloc(cred, struct samr_Password);
+ *cred->nt_hash = *nt_hash;
+ } else {
+ cred->nt_hash = NULL;
+ }
+ return true;
+ }
+
+ return false;
+}
+
+_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ enum credentials_obtained obtained)
+{
+ if (obtained >= cred->password_obtained) {
+ cli_credentials_set_password(cred, NULL, obtained);
+ if (nt_response) {
+ cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length);
+ talloc_steal(cred, cred->nt_response.data);
+ }
+ if (nt_response) {
+ cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length);
+ }
+ return true;
+ }
+
+ return false;
+}
+
diff --git a/source4/auth/credentials/credentials_wrap.c b/source4/auth/credentials/credentials_wrap.c
index 6c99802b09..81ba426e45 100644
--- a/source4/auth/credentials/credentials_wrap.c
+++ b/source4/auth/credentials/credentials_wrap.c
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------------
* This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.33
+ * Version 1.3.35
*
* This file is not intended to be easily readable and contains a number of
* coding conventions designed to improve portability and efficiency. Do not make
@@ -126,7 +126,7 @@
/* This should only be incremented when either the layout of swig_type_info changes,
or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "3"
+#define SWIG_RUNTIME_VERSION "4"
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
#ifdef SWIG_TYPE_TABLE
@@ -161,6 +161,7 @@
/* Flags for pointer conversions */
#define SWIG_POINTER_DISOWN 0x1
+#define SWIG_CAST_NEW_MEMORY 0x2
/* Flags for new pointer objects */
#define SWIG_POINTER_OWN 0x1
@@ -301,10 +302,10 @@ SWIGINTERNINLINE int SWIG_CheckState(int r) {
extern "C" {
#endif
-typedef void *(*swig_converter_func)(void *);
+typedef void *(*swig_converter_func)(void *, int *);
typedef struct swig_type_info *(*swig_dycast_func)(void **);
-/* Structure to store inforomation on one type */
+/* Structure to store information on one type */
typedef struct swig_type_info {
const char *name; /* mangled name of this type */
const char *str; /* human readable name of this type */
@@ -431,8 +432,8 @@ SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
Cast a pointer up an inheritance hierarchy
*/
SWIGRUNTIMEINLINE void *
-SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
- return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
+SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) {
+ return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory);
}
/*
@@ -856,7 +857,7 @@ SWIG_Python_AddErrorMsg(const char* mesg)
Py_DECREF(old_str);
Py_DECREF(value);
} else {
- PyErr_Format(PyExc_RuntimeError, mesg);
+ PyErr_SetString(PyExc_RuntimeError, mesg);
}
}
@@ -1416,7 +1417,7 @@ PySwigObject_dealloc(PyObject *v)
{
PySwigObject *sobj = (PySwigObject *) v;
PyObject *next = sobj->next;
- if (sobj->own) {
+ if (sobj->own == SWIG_POINTER_OWN) {
swig_type_info *ty = sobj->ty;
PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
PyObject *destroy = data ? data->destroy : 0;
@@ -1434,12 +1435,13 @@ PySwigObject_dealloc(PyObject *v)
res = ((*meth)(mself, v));
}
Py_XDECREF(res);
- } else {
- const char *name = SWIG_TypePrettyName(ty);
+ }
#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
- printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
-#endif
+ else {
+ const char *name = SWIG_TypePrettyName(ty);
+ printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown"));
}
+#endif
}
Py_XDECREF(next);
PyObject_DEL(v);
@@ -1944,7 +1946,7 @@ SWIG_Python_GetSwigThis(PyObject *pyobj)
SWIGRUNTIME int
SWIG_Python_AcquirePtr(PyObject *obj, int own) {
- if (own) {
+ if (own == SWIG_POINTER_OWN) {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
if (sobj) {
int oldown = sobj->own;
@@ -1965,6 +1967,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
return SWIG_OK;
} else {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+ if (own)
+ *own = 0;
while (sobj) {
void *vptr = sobj->ptr;
if (ty) {
@@ -1978,7 +1982,15 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
if (!tc) {
sobj = (PySwigObject *)sobj->next;
} else {
- if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
+ if (ptr) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ if (newmemory == SWIG_CAST_NEW_MEMORY) {
+ assert(own);
+ if (own)
+ *own = *own | SWIG_CAST_NEW_MEMORY;
+ }
+ }
break;
}
}
@@ -1988,7 +2000,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int
}
}
if (sobj) {
- if (own) *own = sobj->own;
+ if (own)
+ *own = *own | sobj->own;
if (flags & SWIG_POINTER_DISOWN) {
sobj->own = 0;
}
@@ -2053,8 +2066,13 @@ SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
}
if (ty) {
swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
- if (!tc) return SWIG_ERROR;
- *ptr = SWIG_TypeCast(tc,vptr);
+ if (tc) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ assert(!newmemory); /* newmemory handling not yet implemented */
+ } else {
+ return SWIG_ERROR;
+ }
} else {
*ptr = vptr;
}
@@ -2506,7 +2524,7 @@ static swig_module_info swig_module = {swig_types, 17, 0, 0, 0, 0};
#define SWIG_name "_credentials"
-#define SWIGVERSION 0x010333
+#define SWIGVERSION 0x010335
#define SWIG_VERSION SWIGVERSION
@@ -2863,7 +2881,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_username(PyObject *SWIGUNUSEDPARM(sel
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
char * kwnames[] = {
- (char *) "self",(char *) "value",(char *)"arg3", NULL
+ (char *) "self",(char *) "value",(char *) "obtained", NULL
};
arg1 = NULL;
@@ -2944,7 +2962,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_password(PyObject *SWIGUNUSEDPARM(sel
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
char * kwnames[] = {
- (char *) "self",(char *) "val",(char *)"arg3", NULL
+ (char *) "self",(char *) "val",(char *) "obtained", NULL
};
arg1 = NULL;
@@ -3025,7 +3043,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_domain(PyObject *SWIGUNUSEDPARM(self)
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
char * kwnames[] = {
- (char *) "self",(char *) "val",(char *)"arg3", NULL
+ (char *) "self",(char *) "val",(char *) "obtained", NULL
};
arg1 = NULL;
@@ -3106,7 +3124,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_realm(PyObject *SWIGUNUSEDPARM(self),
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
char * kwnames[] = {
- (char *) "self",(char *) "val",(char *)"arg3", NULL
+ (char *) "self",(char *) "val",(char *) "obtained", NULL
};
arg1 = NULL;
@@ -3196,7 +3214,7 @@ SWIGINTERN PyObject *_wrap_Credentials_parse_string(PyObject *SWIGUNUSEDPARM(sel
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
char * kwnames[] = {
- (char *) "self",(char *) "text",(char *)"arg3", NULL
+ (char *) "self",(char *) "text",(char *) "obtained", NULL
};
arg1 = NULL;
@@ -3672,19 +3690,52 @@ SWIGINTERN PyObject *Credentials_swiginit(PyObject *SWIGUNUSEDPARM(self), PyObje
static PyMethodDef SwigMethods[] = {
{ (char *)"new_Credentials", (PyCFunction)_wrap_new_Credentials, METH_NOARGS, NULL},
- { (char *)"Credentials_get_username", (PyCFunction) _wrap_Credentials_get_username, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_username", (PyCFunction) _wrap_Credentials_set_username, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_get_password", (PyCFunction) _wrap_Credentials_get_password, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_password", (PyCFunction) _wrap_Credentials_set_password, METH_VARARGS | METH_KEYWORDS, NULL},
+ { (char *)"Credentials_get_username", (PyCFunction) _wrap_Credentials_get_username, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.get_username() -> username\n"
+ "Obtain username.\n"
+ ""},
+ { (char *)"Credentials_set_username", (PyCFunction) _wrap_Credentials_set_username, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_username(name, obtained=CRED_SPECIFIED) -> None\n"
+ "Change username.\n"
+ ""},
+ { (char *)"Credentials_get_password", (PyCFunction) _wrap_Credentials_get_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.get_password() -> password\n"
+ "Obtain password.\n"
+ ""},
+ { (char *)"Credentials_set_password", (PyCFunction) _wrap_Credentials_set_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_password(password, obtained=CRED_SPECIFIED) -> None\n"
+ "Change password.\n"
+ ""},
{ (char *)"Credentials_get_domain", (PyCFunction) _wrap_Credentials_get_domain, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_domain", (PyCFunction) _wrap_Credentials_set_domain, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_get_realm", (PyCFunction) _wrap_Credentials_get_realm, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_realm", (PyCFunction) _wrap_Credentials_set_realm, METH_VARARGS | METH_KEYWORDS, NULL},
+ { (char *)"Credentials_set_domain", (PyCFunction) _wrap_Credentials_set_domain, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_domain(domain, obtained=CRED_SPECIFIED) -> None\n"
+ "Change domain name.\n"
+ ""},
+ { (char *)"Credentials_get_realm", (PyCFunction) _wrap_Credentials_get_realm, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.get_realm() -> realm\n"
+ "Obtain realm name.\n"
+ ""},
+ { (char *)"Credentials_set_realm", (PyCFunction) _wrap_Credentials_set_realm, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_realm(realm, obtained=CRED_SPECIFIED) -> None\n"
+ "Change realm name.\n"
+ ""},
{ (char *)"Credentials_set_kerberos_state", (PyCFunction) _wrap_Credentials_set_kerberos_state, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_parse_string", (PyCFunction) _wrap_Credentials_parse_string, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_get_bind_dn", (PyCFunction) _wrap_Credentials_get_bind_dn, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_bind_dn", (PyCFunction) _wrap_Credentials_set_bind_dn, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_anonymous", (PyCFunction) _wrap_Credentials_set_anonymous, METH_VARARGS | METH_KEYWORDS, NULL},
+ { (char *)"Credentials_parse_string", (PyCFunction) _wrap_Credentials_parse_string, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.parse_string(text, obtained=CRED_SPECIFIED) -> None\n"
+ "Parse credentials string.\n"
+ ""},
+ { (char *)"Credentials_get_bind_dn", (PyCFunction) _wrap_Credentials_get_bind_dn, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.get_bind_dn() -> bind dn\n"
+ "Obtain bind DN.\n"
+ ""},
+ { (char *)"Credentials_set_bind_dn", (PyCFunction) _wrap_Credentials_set_bind_dn, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_bind_dn(bind_dn) -> None\n"
+ "Change bind DN.\n"
+ ""},
+ { (char *)"Credentials_set_anonymous", (PyCFunction) _wrap_Credentials_set_anonymous, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_anonymous() -> None\n"
+ "Use anonymous credentials.\n"
+ ""},
{ (char *)"Credentials_get_workstation", (PyCFunction) _wrap_Credentials_get_workstation, METH_VARARGS | METH_KEYWORDS, NULL},
{ (char *)"Credentials_set_workstation", (PyCFunction) _wrap_Credentials_set_workstation, METH_VARARGS | METH_KEYWORDS, NULL},
{ (char *)"Credentials_set_machine_account", (PyCFunction) _wrap_Credentials_set_machine_account, METH_VARARGS | METH_KEYWORDS, NULL},
@@ -3692,8 +3743,14 @@ static PyMethodDef SwigMethods[] = {
{ (char *)"Credentials_is_anonymous", (PyCFunction) _wrap_Credentials_is_anonymous, METH_VARARGS | METH_KEYWORDS, NULL},
{ (char *)"Credentials_get_nt_hash", (PyCFunction) _wrap_Credentials_get_nt_hash, METH_VARARGS | METH_KEYWORDS, NULL},
{ (char *)"Credentials_authentication_requested", (PyCFunction) _wrap_Credentials_authentication_requested, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_wrong_password", (PyCFunction) _wrap_Credentials_wrong_password, METH_VARARGS | METH_KEYWORDS, NULL},
- { (char *)"Credentials_set_cmdline_callbacks", (PyCFunction) _wrap_Credentials_set_cmdline_callbacks, METH_VARARGS | METH_KEYWORDS, NULL},
+ { (char *)"Credentials_wrong_password", (PyCFunction) _wrap_Credentials_wrong_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.wrong_password() -> bool\n"
+ "Indicate the returned password was incorrect.\n"
+ ""},
+ { (char *)"Credentials_set_cmdline_callbacks", (PyCFunction) _wrap_Credentials_set_cmdline_callbacks, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+ "S.set_cmdline_callbacks() -> bool\n"
+ "Use command-line to obtain credentials not explicitly set.\n"
+ ""},
{ (char *)"delete_Credentials", (PyCFunction) _wrap_delete_Credentials, METH_VARARGS | METH_KEYWORDS, NULL},
{ (char *)"Credentials_swigregister", Credentials_swigregister, METH_VARARGS, NULL},
{ (char *)"Credentials_swiginit", Credentials_swiginit, METH_VARARGS, NULL},
@@ -3845,7 +3902,7 @@ SWIGRUNTIME void
SWIG_InitializeModule(void *clientdata) {
size_t i;
swig_module_info *module_head, *iter;
- int found;
+ int found, init;
clientdata = clientdata;
@@ -3855,6 +3912,9 @@ SWIG_InitializeModule(void *clientdata) {
swig_module.type_initial = swig_type_initial;
swig_module.cast_initial = swig_cast_initial;
swig_module.next = &swig_module;
+ init = 1;
+ } else {
+ init = 0;
}
/* Try and load any already created modules */
@@ -3883,6 +3943,12 @@ SWIG_InitializeModule(void *clientdata) {
module_head->next = &swig_module;
}
+ /* When multiple interpeters are used, a module could have already been initialized in
+ a different interpreter, but not yet have a pointer in this interpreter.
+ In this case, we do not want to continue adding types... everything should be
+ set up already */
+ if (init == 0) return;
+
/* Now work on filling in swig_module.types */
#ifdef SWIGRUNTIME_DEBUG
printf("SWIG_InitializeModule: size %d\n", swig_module.size);
diff --git a/source4/auth/credentials/tests/bindings.py b/source4/auth/credentials/tests/bindings.py
index d0a99502c1..30120b3a60 100644
--- a/source4/auth/credentials/tests/bindings.py
+++ b/source4/auth/credentials/tests/bindings.py
@@ -24,7 +24,7 @@ the functionality, that's already done in other tests.
"""
import unittest
-import credentials
+from samba import credentials
class CredentialsTests(unittest.TestCase):
def setUp(self):
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index cfb3493484..f08ff2638a 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -1,30 +1,31 @@
#################################
# Start SUBSYSTEM gensec
[LIBRARY::gensec]
-PRIVATE_PROTO_HEADER = gensec_proto.h
PUBLIC_DEPENDENCIES = \
CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba-socket LIBPACKET
# End SUBSYSTEM gensec
#################################
-PC_FILES += auth/gensec/gensec.pc
+PC_FILES += $(gensecsrcdir)/gensec.pc
gensec_VERSION = 0.0.1
gensec_SOVERSION = 0
-gensec_OBJ_FILES = $(addprefix auth/gensec/, gensec.o socket.o)
+gensec_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec.o socket.o)
-PUBLIC_HEADERS += auth/gensec/gensec.h
+PUBLIC_HEADERS += $(gensecsrcdir)/gensec.h
+
+$(eval $(call proto_header_template,$(gensecsrcdir)/gensec_proto.h,$(gensec_OBJ_FILES:.o=.c)))
################################################
# Start MODULE gensec_krb5
[MODULE::gensec_krb5]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_krb5_init
-PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth auth_sam
+PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session auth_sam
# End MODULE gensec_krb5
################################################
-gensec_krb5_OBJ_FILES = $(addprefix auth/gensec/, gensec_krb5.o)
+gensec_krb5_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec_krb5.o)
################################################
# Start MODULE gensec_gssapi
@@ -35,7 +36,7 @@ PRIVATE_DEPENDENCIES = HEIMDAL_GSSAPI CREDENTIALS KERBEROS
# End MODULE gensec_gssapi
################################################
-gensec_gssapi_OBJ_FILES = $(addprefix auth/gensec/, gensec_gssapi.o)
+gensec_gssapi_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec_gssapi.o)
################################################
# Start MODULE cyrus_sasl
@@ -46,40 +47,41 @@ PRIVATE_DEPENDENCIES = CREDENTIALS SASL
# End MODULE cyrus_sasl
################################################
-cyrus_sasl_OBJ_FILES = $(addprefix auth/gensec/, cyrus_sasl.o)
+cyrus_sasl_OBJ_FILES = $(addprefix $(gensecsrcdir)/, cyrus_sasl.o)
################################################
# Start MODULE gensec_spnego
[MODULE::gensec_spnego]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_spnego_init
-PRIVATE_PROTO_HEADER = spnego_proto.h
PRIVATE_DEPENDENCIES = ASN1_UTIL CREDENTIALS
# End MODULE gensec_spnego
################################################
-gensec_spnego_OBJ_FILES = $(addprefix auth/gensec/, spnego.o spnego_parse.o)
+gensec_spnego_OBJ_FILES = $(addprefix $(gensecsrcdir)/, spnego.o spnego_parse.o)
+
+$(eval $(call proto_header_template,$(gensecsrcdir)/spnego_proto.h,$(gensec_spnego_OBJ_FILES:.o=.c)))
################################################
# Start MODULE gensec_schannel
[MODULE::gensec_schannel]
SUBSYSTEM = gensec
-PRIVATE_PROTO_HEADER = schannel_proto.h
INIT_FUNCTION = gensec_schannel_init
PRIVATE_DEPENDENCIES = SCHANNELDB NDR_SCHANNEL CREDENTIALS LIBNDR
OUTPUT_TYPE = MERGED_OBJ
# End MODULE gensec_schannel
################################################
-gensec_schannel_OBJ_FILES = $(addprefix auth/gensec/, schannel.o schannel_sign.o)
+gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o schannel_sign.o)
+$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_proto.h,$(gensec_schannel_OBJ_FILES:.o=.c)))
################################################
# Start SUBSYSTEM SCHANNELDB
[SUBSYSTEM::SCHANNELDB]
-PRIVATE_PROTO_HEADER = schannel_state.h
PRIVATE_DEPENDENCIES = LDB_WRAP SAMDB
# End SUBSYSTEM SCHANNELDB
################################################
-SCHANNELDB_OBJ_FILES = $(addprefix auth/gensec/, schannel_state.o)
+SCHANNELDB_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel_state.o)
+$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_state.h,$(SCHANNELDB_OBJ_FILES:.o=.c)))
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 59ad15740e..0edb34d740 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -23,7 +23,6 @@
#include "includes.h"
#include "auth/auth.h"
#include "lib/events/events.h"
-#include "build.h"
#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
@@ -482,6 +481,11 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
struct messaging_context *msg,
struct gensec_security **gensec_security)
{
+ if (ev == NULL) {
+ DEBUG(0, ("No event context available!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
(*gensec_security) = talloc(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
@@ -493,14 +497,6 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->subcontext = false;
(*gensec_security)->want_features = 0;
-
- if (ev == NULL) {
- ev = event_context_init(*gensec_security);
- if (ev == NULL) {
- talloc_free(*gensec_security);
- return NT_STATUS_NO_MEMORY;
- }
- }
(*gensec_security)->event_ctx = ev;
(*gensec_security)->msg_ctx = msg;
@@ -548,20 +544,11 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
- struct event_context *new_ev = NULL;
-
- if (ev == NULL) {
- new_ev = event_context_init(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(new_ev);
- ev = new_ev;
- }
status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(new_ev);
return status;
}
- talloc_steal((*gensec_security), new_ev);
(*gensec_security)->gensec_role = GENSEC_CLIENT;
return status;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e7dcb4ea68..cc0d40469e 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -273,7 +273,9 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
DEBUG(3, ("No machine account credentials specified\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
- ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->lp_ctx, &gcc);
+ ret = cli_credentials_get_server_gss_creds(machine_account,
+ gensec_security->event_ctx,
+ gensec_security->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
error_message(ret)));
@@ -359,7 +361,9 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
- ret = cli_credentials_get_client_gss_creds(creds, gensec_security->lp_ctx, &gcc);
+ ret = cli_credentials_get_client_gss_creds(creds,
+ gensec_security->event_ctx,
+ gensec_security->lp_ctx, &gcc);
switch (ret) {
case 0:
break;
@@ -1323,7 +1327,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
} else if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string,
+ nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1338,7 +1342,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(mem_ctx, gensec_security->lp_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -1361,12 +1365,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_event_context(session_info->credentials, gensec_security->event_ctx);
cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
+ gensec_security->event_ctx,
gensec_security->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index ae601b19c2..47df2ccfcc 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -118,7 +118,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
- if (cli_credentials_get_krb5_context(creds, gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
+ if (cli_credentials_get_krb5_context(creds,
+ gensec_security->event_ctx,
+ gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -248,7 +250,9 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
principal = gensec_get_target_principal(gensec_security);
- ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &ccache_container);
+ ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
+ gensec_security->event_ctx,
+ gensec_security->lp_ctx, &ccache_container);
switch (ret) {
case 0:
break;
@@ -446,7 +450,9 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
}
/* Grab the keytab, however generated */
- ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &keytab);
+ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
+ gensec_security->event_ctx,
+ gensec_security->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -597,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string,
+ nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
&server_info);
krb5_free_principal(context, client_principal);
free(principal_string);
@@ -645,7 +651,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(mem_ctx, gensec_security->lp_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index b3117ee9b2..f21202b86f 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -125,7 +125,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
}
/* pull the session key for this client */
- status = schannel_fetch_session_key(out_mem_ctx, gensec_security->lp_ctx, workstation,
+ status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx,
+ gensec_security->lp_ctx, workstation,
domain, &creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
@@ -189,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
struct auth_session_info **_session_info)
{
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
- return auth_anonymous_session_info(state, gensec_security->lp_ctx, _session_info);
+ return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info);
}
static NTSTATUS schannel_start(struct gensec_security *gensec_security)
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 0c7c509954..0f7c4ca11d 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -32,7 +32,8 @@
/**
connect to the schannel ldb
*/
-struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
+struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_context *ev_ctx,
+ struct loadparm_context *lp_ctx)
{
char *path;
struct ldb_context *ldb;
@@ -49,7 +50,7 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct loadparm_con
existed = file_exist(path);
- ldb = ldb_wrap_connect(mem_ctx, lp_ctx, path,
+ ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, path,
system_session(mem_ctx, lp_ctx),
NULL, LDB_FLG_NOSYNC, NULL);
talloc_free(path);
@@ -137,6 +138,7 @@ NTSTATUS schannel_store_session_key_ldb(TALLOC_CTX *mem_ctx,
}
NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
+ struct event_context *ev_ctx,
struct loadparm_context *lp_ctx,
struct creds_CredentialState *creds)
{
@@ -144,7 +146,7 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
NTSTATUS nt_status;
int ret;
- ldb = schannel_db_connect(mem_ctx, lp_ctx);
+ ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx);
if (!ldb) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -268,6 +270,7 @@ NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx,
}
NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
+ struct event_context *ev_ctx,
struct loadparm_context *lp_ctx,
const char *computer_name,
const char *domain,
@@ -276,7 +279,7 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
NTSTATUS nt_status;
struct ldb_context *ldb;
- ldb = schannel_db_connect(mem_ctx, lp_ctx);
+ ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx);
if (!ldb) {
return NT_STATUS_ACCESS_DENIED;
}
diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk
index 762d6f8c49..951e247258 100644
--- a/source4/auth/kerberos/config.mk
+++ b/source4/auth/kerberos/config.mk
@@ -1,13 +1,12 @@
#################################
# Start SUBSYSTEM KERBEROS
[SUBSYSTEM::KERBEROS]
-PRIVATE_PROTO_HEADER = proto.h
PUBLIC_DEPENDENCIES = HEIMDAL_KRB5 NDR_KRB5PAC samba-socket LIBCLI_RESOLVE
PRIVATE_DEPENDENCIES = ASN1_UTIL auth_sam_reply LIBPACKET LIBNDR
# End SUBSYSTEM KERBEROS
#################################
-KERBEROS_OBJ_FILES = $(addprefix auth/kerberos/, \
+KERBEROS_OBJ_FILES = $(addprefix $(authsrcdir)/kerberos/, \
kerberos.o \
clikrb5.o \
kerberos_heimdal.o \
@@ -15,3 +14,5 @@ KERBEROS_OBJ_FILES = $(addprefix auth/kerberos/, \
gssapi_parse.o \
krb5_init_context.o)
+$(eval $(call proto_header_template,$(authsrcdir)/kerberos/proto.h,$(KERBEROS_OBJ_FILES:.o=.c)))
+
diff --git a/source4/auth/auth.c b/source4/auth/ntlm/auth.c
index 6c86cf2d7c..0f1ef3ccdb 100644
--- a/source4/auth/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -21,9 +21,8 @@
#include "includes.h"
#include "lib/util/dlinklist.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "lib/events/events.h"
-#include "build.h"
#include "param/param.h"
/***************************************************************************
@@ -521,6 +520,7 @@ _PUBLIC_ NTSTATUS auth_init(void)
extern NTSTATUS auth_anonymous_init(void);
extern NTSTATUS auth_unix_init(void);
extern NTSTATUS auth_sam_init(void);
+ extern NTSTATUS auth_server_init(void);
init_module_fn static_init[] = { STATIC_auth_MODULES };
diff --git a/source4/auth/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c
index b93c7c2008..c889071878 100644
--- a/source4/auth/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -21,7 +21,7 @@
#include "includes.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "param/param.h"
/**
diff --git a/source4/auth/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index a2c9cbc828..3b8c83c349 100644
--- a/source4/auth/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -21,7 +21,7 @@
#include "includes.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_samr.h"
diff --git a/source4/auth/ntlm/auth_proto.h b/source4/auth/ntlm/auth_proto.h
new file mode 100644
index 0000000000..572c1a4ca7
--- /dev/null
+++ b/source4/auth/ntlm/auth_proto.h
@@ -0,0 +1,50 @@
+#ifndef __AUTH_NTLM_AUTH_PROTO_H__
+#define __AUTH_NTLM_AUTH_PROTO_H__
+
+#undef _PRINTF_ATTRIBUTE
+#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
+/* This file was automatically generated by mkproto.pl. DO NOT EDIT */
+
+/* this file contains prototypes for functions that are private
+ * to this subsystem or library. These functions should not be
+ * used outside this particular subsystem! */
+
+
+/* The following definitions come from auth/ntlm/auth.c */
+
+
+/***************************************************************************
+ Set a fixed challenge
+***************************************************************************/
+bool auth_challenge_may_be_modified(struct auth_context *auth_ctx) ;
+const struct auth_operations *auth_backend_byname(const char *name);
+const struct auth_critical_sizes *auth_interface_version(void);
+NTSTATUS server_service_auth_init(void);
+
+/* The following definitions come from auth/ntlm/auth_util.c */
+
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+
+/****************************************************************************
+ Create an auth_usersupplied_data structure after appropriate mapping.
+****************************************************************************/
+NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
+ const char *default_domain,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_usersupplied_info **user_info_mapped);
+
+/****************************************************************************
+ Create an auth_usersupplied_data structure after appropriate mapping.
+****************************************************************************/
+NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+ enum auth_password_state to_state,
+ const struct auth_usersupplied_info *user_info_in,
+ const struct auth_usersupplied_info **user_info_encrypted);
+
+/* The following definitions come from auth/ntlm/auth_simple.c */
+
+#undef _PRINTF_ATTRIBUTE
+#define _PRINTF_ATTRIBUTE(a1, a2)
+
+#endif /* __AUTH_NTLM_AUTH_PROTO_H__ */
+
diff --git a/source4/auth/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 4b467cee75..2c13cd963d 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -25,7 +25,8 @@
#include "lib/ldb/include/ldb.h"
#include "util/util_ldb.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/ntlm_check.h"
+#include "auth/ntlm/auth_proto.h"
#include "auth/auth_sam.h"
#include "dsdb/samdb/samdb.h"
#include "libcli/security/security.h"
@@ -289,7 +290,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->lp_ctx, system_session(mem_ctx, ctx->auth_ctx->lp_ctx));
+ sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->event_ctx, ctx->auth_ctx->lp_ctx, system_session(mem_ctx, ctx->auth_ctx->lp_ctx));
if (sam_ctx == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SYSTEM_SERVICE;
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
new file mode 100644
index 0000000000..f154cf0425
--- /dev/null
+++ b/source4/auth/ntlm/auth_server.c
@@ -0,0 +1,225 @@
+/*
+ Unix SMB/CIFS implementation.
+ Authenticate by using a remote server
+ Copyright (C) Andrew Bartlett 2001-2002, 2008
+ Copyright (C) Jelmer Vernooij 2002
+ Copyright (C) Stefan Metzmacher 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "auth/ntlm/auth_proto.h"
+#include "auth/credentials/credentials.h"
+#include "libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "libcli/smb_composite/smb_composite.h"
+#include "param/param.h"
+#include "libcli/resolve/resolve.h"
+
+/* This version of 'security=server' rewirtten from scratch for Samba4
+ * libraries in 2008 */
+
+
+static NTSTATUS server_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ return NT_STATUS_OK;
+}
+/**
+ * The challenge from the target server, when operating in security=server
+ **/
+static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *_blob)
+{
+ struct smb_composite_connect io;
+ struct smbcli_options smb_options;
+ const char **host_list;
+ NTSTATUS status;
+
+ /* Make a connection to the target server, found by 'password server' in smb.conf */
+
+ lp_smbcli_options(ctx->auth_ctx->lp_ctx, &smb_options);
+
+ /* Make a negprot, WITHOUT SPNEGO, so we get a challenge nice an easy */
+ io.in.options.use_spnego = false;
+
+ /* Hope we don't get * (the default), as this won't work... */
+ host_list = lp_passwordserver(ctx->auth_ctx->lp_ctx);
+ if (!host_list) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ io.in.dest_host = host_list[0];
+ if (strequal(io.in.dest_host, "*")) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ io.in.dest_ports = lp_smb_ports(ctx->auth_ctx->lp_ctx);
+
+ io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
+
+ /* We don't want to get as far as the session setup */
+ io.in.credentials = NULL;
+ io.in.service = NULL;
+
+ io.in.workgroup = ""; /* only used with SPNEGO, disabled above */
+
+ io.in.options = smb_options;
+
+ status = smb_composite_connect(&io, mem_ctx, lp_resolve_context(ctx->auth_ctx->lp_ctx),
+ ctx->auth_ctx->event_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ *_blob = io.out.tree->session->transport->negotiate.secblob;
+ ctx->private_data = talloc_steal(ctx, io.out.tree->session);
+ }
+ return NT_STATUS_OK;
+}
+
+/**
+ * Return an error based on username
+ *
+ * This function allows the testing of obsure errors, as well as the generation
+ * of NT_STATUS -> DOS error mapping tables.
+ *
+ * This module is of no value to end-users.
+ *
+ * The password is ignored.
+ *
+ * @return An NTSTATUS value based on the username
+ **/
+
+static NTSTATUS server_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **_server_info)
+{
+ NTSTATUS nt_status;
+ struct auth_serversupplied_info *server_info;
+ struct cli_credentials *creds;
+ const char *user;
+ struct smb_composite_sesssetup session_setup;
+
+ struct smbcli_session *session = talloc_get_type(ctx->private_data, struct smbcli_session);
+
+ creds = cli_credentials_init(mem_ctx);
+
+ NT_STATUS_HAVE_NO_MEMORY(creds);
+
+ cli_credentials_set_username(creds, user_info->client.account_name, CRED_SPECIFIED);
+ cli_credentials_set_domain(creds, user_info->client.domain_name, CRED_SPECIFIED);
+
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ cli_credentials_set_password(creds, user_info->password.plaintext,
+ CRED_SPECIFIED);
+ break;
+ case AUTH_PASSWORD_HASH:
+ cli_credentials_set_nt_hash(creds, user_info->password.hash.nt,
+ CRED_SPECIFIED);
+ break;
+
+ case AUTH_PASSWORD_RESPONSE:
+ cli_credentials_set_ntlm_response(creds, &user_info->password.response.lanman, &user_info->password.response.nt, CRED_SPECIFIED);
+ break;
+ }
+
+ session_setup.in.sesskey = session->transport->negotiate.sesskey;
+ session_setup.in.capabilities = session->transport->negotiate.capabilities;
+
+ session_setup.in.credentials = creds;
+ session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */
+
+ /* Check password with remove server - this should be async some day */
+ nt_status = smb_composite_sesssetup(session, &session_setup);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ server_info = talloc(mem_ctx, struct auth_serversupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY(server_info);
+
+ server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+
+ /* is this correct? */
+ server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+
+ server_info->n_domain_groups = 0;
+ server_info->domain_groups = NULL;
+
+ /* annoying, but the Anonymous really does have a session key,
+ and it is all zeros! */
+ server_info->user_session_key = data_blob(NULL, 0);
+ server_info->lm_session_key = data_blob(NULL, 0);
+
+ server_info->account_name = talloc_strdup(server_info, user_info->client.account_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+
+ server_info->domain_name = talloc_strdup(server_info, user_info->client.domain_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+
+ server_info->full_name = NULL;
+
+ server_info->logon_script = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+
+ server_info->profile_path = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+
+ server_info->home_directory = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+
+ server_info->home_drive = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+
+ server_info->last_logon = 0;
+ server_info->last_logoff = 0;
+ server_info->acct_expiry = 0;
+ server_info->last_password_change = 0;
+ server_info->allow_password_change = 0;
+ server_info->force_password_change = 0;
+
+ server_info->logon_count = 0;
+ server_info->bad_password_count = 0;
+
+ server_info->acct_flags = ACB_NORMAL;
+
+ server_info->authenticated = false;
+
+ *_server_info = server_info;
+
+ return nt_status;
+}
+
+static const struct auth_operations server_auth_ops = {
+ .name = "server",
+ .get_challenge = server_get_challenge,
+ .want_check = server_want_check,
+ .check_password = server_check_password
+};
+
+_PUBLIC_ NTSTATUS auth_server_init(void)
+{
+ NTSTATUS ret;
+
+ ret = auth_register(&server_auth_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register 'server' auth backend!\n"));
+ return ret;
+ }
+
+ return ret;
+}
diff --git a/source4/auth/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 50be02a353..e7039c3657 100644
--- a/source4/auth/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -90,7 +90,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
}
if (session_info) {
- nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, server_info, session_info);
+ nt_status = auth_generate_session_info(tmp_ctx, ev, lp_ctx, server_info, session_info);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_steal(mem_ctx, *session_info);
diff --git a/source4/auth/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index a417107025..1717b9d0e1 100644
--- a/source4/auth/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -21,10 +21,10 @@
#include "includes.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "system/passwd.h" /* needed by some systems for struct passwd */
#include "lib/socket/socket.h"
-#include "auth/pam_errors.h"
+#include "auth/ntlm/pam_errors.h"
#include "param/param.h"
/* TODO: look at how to best fill in parms retrieveing a struct passwd info
diff --git a/source4/auth/auth_util.c b/source4/auth/ntlm/auth_util.c
index 1d86b858cf..1d86b858cf 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
diff --git a/source4/auth/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 149f549afa..ac63b242e4 100644
--- a/source4/auth/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -23,7 +23,7 @@
#include "includes.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "auth/session_proto.h"
#include "nsswitch/winbind_client.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk
new file mode 100644
index 0000000000..f31c2b7279
--- /dev/null
+++ b/source4/auth/ntlm/config.mk
@@ -0,0 +1,86 @@
+# NTLM auth server subsystem
+
+[SUBSYSTEM::ntlm_check]
+PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL
+
+ntlm_check_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, ntlm_check.o)
+
+#######################
+# Start MODULE auth_sam
+[MODULE::auth_sam_module]
+# gensec_krb5 and gensec_gssapi depend on it
+INIT_FUNCTION = auth_sam_init
+SUBSYSTEM = auth
+PRIVATE_DEPENDENCIES = \
+ SAMDB auth_sam ntlm_check
+# End MODULE auth_sam
+#######################
+
+auth_sam_module_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_sam.o)
+
+#######################
+# Start MODULE auth_anonymous
+[MODULE::auth_anonymous]
+INIT_FUNCTION = auth_anonymous_init
+SUBSYSTEM = auth
+# End MODULE auth_anonymous
+#######################
+
+auth_anonymous_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_anonymous.o)
+
+#######################
+# Start MODULE auth_anonymous
+[MODULE::auth_server]
+INIT_FUNCTION = auth_server_init
+SUBSYSTEM = auth
+PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBCLI_SMB
+OUTPUT_TYPE = SHARED_LIBRARY
+# End MODULE auth_server
+#######################
+
+auth_server_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_server.o)
+
+#######################
+# Start MODULE auth_winbind
+[MODULE::auth_winbind]
+INIT_FUNCTION = auth_winbind_init
+SUBSYSTEM = auth
+PRIVATE_DEPENDENCIES = NDR_WINBIND MESSAGING LIBWINBIND-CLIENT
+# End MODULE auth_winbind
+#######################
+
+auth_winbind_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_winbind.o)
+
+#######################
+# Start MODULE auth_developer
+[MODULE::auth_developer]
+INIT_FUNCTION = auth_developer_init
+SUBSYSTEM = auth
+# End MODULE auth_developer
+#######################
+
+auth_developer_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_developer.o)
+
+[MODULE::auth_unix]
+INIT_FUNCTION = auth_unix_init
+SUBSYSTEM = auth
+PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER
+
+auth_unix_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_unix.o)
+
+[SUBSYSTEM::PAM_ERRORS]
+
+#VERSION = 0.0.1
+#SO_VERSION = 0
+PAM_ERRORS_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, pam_errors.o)
+
+[MODULE::auth]
+INIT_FUNCTION = server_service_auth_init
+SUBSYSTEM = service
+PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS
+
+auth_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth.o auth_util.o auth_simple.o)
+$(eval $(call proto_header_template,$(authsrcdir)/auth_proto.h,$(auth_OBJ_FILES:.o=.c)))
+
+# PUBLIC_HEADERS += auth/auth.h
+
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c
index 55f2595f44..0dbbce0edc 100644
--- a/source4/auth/ntlm_check.c
+++ b/source4/auth/ntlm/ntlm_check.c
@@ -24,6 +24,7 @@
#include "librpc/gen_ndr/netlogon.h"
#include "libcli/auth/libcli_auth.h"
#include "param/param.h"
+#include "auth/ntlm/ntlm_check.h"
/****************************************************************************
Core of smb password checking routine.
diff --git a/source4/auth/ntlm/ntlm_check.h b/source4/auth/ntlm/ntlm_check.h
new file mode 100644
index 0000000000..eb115b74d6
--- /dev/null
+++ b/source4/auth/ntlm/ntlm_check.h
@@ -0,0 +1,75 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
+ Copyright (C) Gerald Carter 2003
+ Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/**
+ * Compare password hashes against those from the SAM
+ *
+ * @param mem_ctx talloc context
+ * @param client_lanman LANMAN password hash, as supplied by the client
+ * @param client_nt NT (MD4) password hash, as supplied by the client
+ * @param username internal Samba username, for log messages
+ * @param client_username username the client used
+ * @param client_domain domain name the client used (may be mapped)
+ * @param stored_lanman LANMAN password hash, as stored on the SAM
+ * @param stored_nt NT (MD4) password hash, as stored on the SAM
+ * @param user_sess_key User session key
+ * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
+ */
+
+NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct samr_Password *client_lanman,
+ const struct samr_Password *client_nt,
+ const char *username,
+ const struct samr_Password *stored_lanman,
+ const struct samr_Password *stored_nt);
+
+/**
+ * Check a challenge-response password against the value of the NT or
+ * LM password hash.
+ *
+ * @param mem_ctx talloc context
+ * @param challenge 8-byte challenge. If all zero, forces plaintext comparison
+ * @param nt_response 'unicode' NT response to the challenge, or unicode password
+ * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
+ * @param username internal Samba username, for log messages
+ * @param client_username username the client used
+ * @param client_domain domain name the client used (may be mapped)
+ * @param stored_lanman LANMAN ASCII password from our passdb or similar
+ * @param stored_nt MD4 unicode password from our passdb or similar
+ * @param user_sess_key User session key
+ * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
+ */
+
+NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ uint32_t logon_parameters,
+ const DATA_BLOB *challenge,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ const char *username,
+ const char *client_username,
+ const char *client_domain,
+ const struct samr_Password *stored_lanman,
+ const struct samr_Password *stored_nt,
+ DATA_BLOB *user_sess_key,
+ DATA_BLOB *lm_sess_key);
diff --git a/source4/auth/pam_errors.c b/source4/auth/ntlm/pam_errors.c
index 9774ad8727..9774ad8727 100644
--- a/source4/auth/pam_errors.c
+++ b/source4/auth/ntlm/pam_errors.c
diff --git a/source4/auth/ntlm/pam_errors.h b/source4/auth/ntlm/pam_errors.h
new file mode 100644
index 0000000000..959e1f3517
--- /dev/null
+++ b/source4/auth/ntlm/pam_errors.h
@@ -0,0 +1,47 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * PAM error mapping functions
+ * Copyright (C) Andrew Bartlett 2002
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __AUTH_NTLM_PAM_ERRORS_H__
+#define __AUTH_NTLM_PAM_ERRORS_H__
+
+/* The following definitions come from auth/pam_errors.c */
+
+
+/*****************************************************************************
+convert a PAM error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS pam_to_nt_status(int pam_error);
+
+/*****************************************************************************
+convert an NT status32 code to a PAM error
+ *****************************************************************************/
+int nt_status_to_pam(NTSTATUS nt_status);
+
+/*****************************************************************************
+convert a PAM error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS pam_to_nt_status(int pam_error);
+
+/*****************************************************************************
+convert an NT status32 code to a PAM error
+ *****************************************************************************/
+int nt_status_to_pam(NTSTATUS nt_status);
+
+#endif /* __AUTH_NTLM_PAM_ERRORS_H__ */
+
diff --git a/source4/auth/ntlmssp/config.mk b/source4/auth/ntlmssp/config.mk
index f8e711feda..129f58de83 100644
--- a/source4/auth/ntlmssp/config.mk
+++ b/source4/auth/ntlmssp/config.mk
@@ -1,17 +1,19 @@
[SUBSYSTEM::MSRPC_PARSE]
-PRIVATE_PROTO_HEADER = msrpc_parse.h
-MSRPC_PARSE_OBJ_FILES = $(addprefix auth/ntlmssp/, ntlmssp_parse.o)
+MSRPC_PARSE_OBJ_FILES = $(addprefix $(authsrcdir)/ntlmssp/, ntlmssp_parse.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/msrpc_parse.h,$(MSRPC_PARSE_OBJ_FILES:.o=.c)))
################################################
# Start MODULE gensec_ntlmssp
[MODULE::gensec_ntlmssp]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_ntlmssp_init
-PRIVATE_PROTO_HEADER = proto.h
-PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS
+PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS auth
OUTPUT_TYPE = MERGED_OBJ
# End MODULE gensec_ntlmssp
################################################
-gensec_ntlmssp_OBJ_FILES = $(addprefix auth/ntlmssp/, ntlmssp.o ntlmssp_sign.o ntlmssp_client.o ntlmssp_server.o)
+gensec_ntlmssp_OBJ_FILES = $(addprefix $(authsrcdir)/ntlmssp/, ntlmssp.o ntlmssp_sign.o ntlmssp_client.o ntlmssp_server.o)
+
+$(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/proto.h,$(gensec_ntlmssp_OBJ_FILES:.o=.c)))
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 64bfebd3d1..0b7f0da9af 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -29,7 +29,7 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_proto.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "param/param.h"
/**
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 12802b7e79..dfc5940d99 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -30,7 +30,7 @@
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
+#include "auth/ntlm/auth_proto.h"
#include "param/param.h"
#include "auth/session_proto.h"
@@ -725,7 +725,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
NTSTATUS nt_status;
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
- nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info);
+ nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
(*session_info)->session_key = data_blob_talloc(*session_info,
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index ed44754993..a2090afcdc 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -428,6 +428,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *principal,
struct auth_serversupplied_info **server_info)
@@ -445,7 +446,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx));
+ sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx));
if (sam_ctx == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SYSTEM_SERVICE;
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 112eac95d8..8f5e8d6c56 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -31,11 +31,12 @@
#include "auth/session_proto.h"
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS nt_status;
struct auth_session_info *session_info = NULL;
- nt_status = auth_anonymous_session_info(mem_ctx, lp_ctx, &session_info);
+ nt_status = auth_anonymous_session_info(mem_ctx, event_ctx, lp_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return NULL;
}
@@ -43,6 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
}
_PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info)
{
@@ -60,7 +62,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(parent_ctx, lp_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(parent_ctx, event_ctx, lp_ctx, server_info, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -151,6 +153,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
}
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_serversupplied_info *server_info,
struct auth_session_info **_session_info)
@@ -168,6 +171,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
session_info->session_key = server_info->user_session_key;
nt_status = security_token_create(session_info,
+ event_ctx,
lp_ctx,
server_info->account_sid,
server_info->primary_group_sid,
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 87fc47791a..933b14a1b4 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -1,6 +1,6 @@
/*
Unix SMB/CIFS implementation.
- Auth session handling
+ Process and provide the logged on user's authorization token
Copyright (C) Andrew Bartlett 2001
Copyright (C) Stefan Metzmacher 2005
@@ -30,12 +30,23 @@ struct auth_session_info {
#include "librpc/gen_ndr/netlogon.h"
-struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
+/* Create a security token for a session SYSTEM (the most
+ * trusted/prvilaged account), including the local machine account as
+ * the off-host credentials */
struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) ;
+
+/*
+ * Create a system session, but with anonymous credentials (so we do
+ * not need to open secrets.ldb)
+ */
+struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
+
+
NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_serversupplied_info **_server_info) ;
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_serversupplied_info *server_info,
struct auth_session_info **_session_info) ;
@@ -46,10 +57,12 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
union netr_Validation *validation,
struct auth_serversupplied_info **_server_info);
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
+ struct event_context *ev_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info);
struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
struct loadparm_context *lp_ctx);
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index e99bbbb1ab..1d227fe468 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -147,9 +147,10 @@ static NTSTATUS generate_session_info(TALLOC_CTX *mem_ctx,
-/**
- Create a system session, with machine account credentials
-*/
+/* Create a security token for a session SYSTEM (the most
+ * trusted/prvilaged account), including the local machine account as
+ * the off-host credentials
+ */
_PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
NTSTATUS nt_status;
diff --git a/source4/auth/tests/bindings.py b/source4/auth/tests/bindings.py
index 4a4b12bf69..b7a5994675 100644
--- a/source4/auth/tests/bindings.py
+++ b/source4/auth/tests/bindings.py
@@ -24,7 +24,7 @@ the functionality, that's already done in other tests.
"""
import unittest
-import auth
+from samba import auth
class AuthTests(unittest.TestCase):
def test_system_session(self):