summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-02-17s3-lib Remove unused sys_fseek()Andrew Bartlett2-18/+0
2012-02-17s3-registry Remove unused dup_registry_value() and free_registry_value()Andrew Bartlett2-56/+0
2012-02-17auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3Andrew Bartlett2-2/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17auth: Make more of the ntlmssp code private or staticAndrew Bartlett5-96/+66
Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmsspAndrew Bartlett3-40/+5
There is no longer any samba3-specific code left here. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmssp_server_startAndrew Bartlett1-127/+1
This is now identical code, so there is no need to duplicate it. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use the gensec-supplied DNS domain name and hostname.Andrew Bartlett2-28/+76
Also have a reasonable fallback for when it is not set. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Provide a way to specify the NTLMSSP server name to GENSECAndrew Bartlett2-17/+40
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Allow NTLMSSP features to be disabled with smb.conf options for testingAndrew Bartlett1-9/+23
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Rearrange ntlmssp code for clarityAndrew Bartlett1-9/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use the lpcfg_ wrapper calls to set some variablesAndrew Bartlett1-31/+10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Remove a layer of indirection and reorder to match ↵Andrew Bartlett1-18/+15
gensec_ntlmssp_server_start()
2012-02-17auth: Set NTLMSSP_NEGOTIATE_SIGN when session key support is requiredAndrew Bartlett1-0/+3
This matches the s3 NTLMSSP server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Only allow LM_KEY cryptography when extra options are setAndrew Bartlett1-1/+6
This crypto is incredibly poor, and can technically be enabled on an otherwise more secure connection that uses NTLM for the actual authentication leg. Therefore disable it by default. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Inline ntlmssp_server_start() into gensec_ntlmssp3_server_start()Andrew Bartlett1-9/+60
This will help syncing this rotuine up with gensec_ntlmssp_server_start(). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_serverAndrew Bartlett4-25/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmssp server functions for more of ↵Andrew Bartlett4-189/+50
gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett3-0/+23
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Cope with NO_USER_SESSION_KEY from security=serverAndrew Bartlett1-2/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Move the rest of the source4 gensec_ntlmssp code to the top levelAndrew Bartlett11-90/+166
The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett4-62/+259
auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-build: Use credentials_ntlm.c in the autoconf build as wellAndrew Bartlett1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17build: Add exceptions for callcatcher unused function detectionAndrew Bartlett1-0/+22
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 17 09:12:47 CET 2012 on sn-devel-104
2012-02-17wintest: Update Win2003 VMAndrew Bartlett1-4/+4
2012-02-17auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett5-158/+155
gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
2012-02-17s3-gse: Allow kerberos key type OID to be optionalAndrew Bartlett1-4/+11
2012-02-17s3-gse: Fix OID to read for kerberos key typeAndrew Bartlett1-2/+2
2012-02-17s3-librpc: Remove backup declaration of GSS_C_DCE_STYLEAndrew Bartlett1-4/+0
All our supported krb5 libs provide this. Andrew Bartlett
2012-02-17s3-gse: Remove unused OID declarationAndrew Bartlett1-9/+0
2012-02-17wintest: give host longer to register the SRV recordAndrew Bartlett1-1/+1
2012-02-17wintest: use net rpc to put authenticated users into TelentClients if we need toAndrew Bartlett1-0/+13
2012-02-17wintest: Allow Windows VM to have no default routeAndrew Bartlett1-3/+4
2012-02-17Replace smbd_server_connection_loop_once() with tevent_loop_once() directly.Jeremy Allison1-63/+6
We no longer need to call poll() directly inside smbd ! Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Feb 17 02:49:13 CET 2012 on sn-devel-104
2012-02-16lib/util: Remove sys_poll as it is no longer neededAndrew Bartlett8-110/+14
sys_poll() is only needed if the signal pipe is set up and used, but as no signal handler ever writes to the pipe, this can all be removed. signal based events are now handled via tevent. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
2012-02-16lib/util: Remove unused sys_select_signal()Andrew Bartlett2-19/+0
Now sys_poll needs to be cleaned up not to refer to the pipe that is now not used. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
2012-02-16s3-librpc: Remove gse_verify_server_auth_flagsAndrew Bartlett1-50/+0
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly for DCE/RPC pipes. Also, the smb sealing client/server already check for the gensec_have_feature(). This additional check just keeps causing trouble, and is 'protecting' an already secure negoitated exchange. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
2012-02-16docs-xml: remove docs for "send spnego principal"Stefan Metzmacher1-28/+0
metze
2012-02-16s3-param Remove off-by-default and unused "send spnego principal"Andrew Bartlett2-11/+0
This is not honoured by the common SPNEGO code. This matches mondern windows versions which do not send this value, as it would be insecure for a client to rely on it. (See also the depricated client use spnego principal directive). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3-smbd Remove unused code now we always have SPNEGO via gensecAndrew Bartlett4-49/+7
This was previously needed because SPNEGO was only available in the AD DC. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3-librpc: Use gensec_spnego for DCE/RPC authenticationAndrew Bartlett10-1009/+42
This ensures that we use the same SPNEGO code on session setup and on DCE/RPC binds, and simplfies the calling code as spnego is no longer a special case in cli_pipe.c A special case wrapper function remains to avoid changing the application layer callers in this patch. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGOAndrew Bartlett1-67/+69
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as it (reasonably, I suppose) invalidates the gssapi context on which it is called. Instead, we look to the type of session key which is negotiated, and see if it not AES (or newer). If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO so that we know to generate valid mechListMic values in SPNEGO. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3-librpc: Remove unused bool gensec_hookAndrew Bartlett1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3:rpc_client: fix commentStefan Metzmacher1-1/+1
metze
2012-02-16s3-librpc: make gensec result handling more genericAndrew Bartlett1-11/+11
This prepares us for handling SPNEGO via gensec Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16wafsamba: exclude '.brzignore' from "make dist"Michael Adam1-1/+1
.bzrignore can cause unwanted effects, if one e.g. maintains a packaging (like debian) of the generated distribution in bzr. Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Thu Feb 16 13:47:52 CET 2012 on sn-devel-104
2012-02-16wafsamba: exclude '.gitignore' from "make dist"Michael Adam1-0/+1
.gitignore can cause unwanted effects, if one e.g. maintains a packaging (like debian) of the generated distribution in git
2012-02-16wafsamba: fix blacklist handling in "make dist"Michael Adam1-1/+1
2012-02-16s4:provision: only print the adminpass if it was generated (not user-provided)Michael Adam1-1/+5
2012-02-16s4:provision: generate the adminpass provision() instead of provision_fill()Michael Adam1-2/+3
so that the adminpass can be logged at the end (otherwise we get "None")
2012-02-16s4:provision: don't log the ldap admin password - it is internal onlyMichael Adam1-3/+0