summaryrefslogtreecommitdiff
path: root/auth/credentials
AgeCommit message (Collapse)AuthorFilesLines
2013-08-05auth/credentials: use CRED_CALLBACK_RESULT after a callbackStefan Metzmacher1-11/+23
We only do this if it's still CRED_CALLBACK after the callback, this allowes the callback to overwrite it. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
2013-08-05auth/credentials: simplify password_tries stateStefan Metzmacher2-6/+15
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: get the old password from secrets.tdbStefan Metzmacher1-0/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: keep cli_credentials privateStefan Metzmacher6-93/+126
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: add cli_credentials_shallow_copy()Stefan Metzmacher2-0/+18
This is useful for testing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: add cli_credentials_[set_]callback_data*Stefan Metzmacher2-0/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: remove pointless talloc_reference() from ↵Stefan Metzmacher1-1/+1
cli_credentials_get_principal_and_obtained() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05auth/credentials: remove pointless talloc_reference() from ↵Stefan Metzmacher1-1/+1
cli_credentials_get_unparsed_name() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-19build: Build with system md5.h on OpenIndianaAndrew Bartlett1-1/+1
This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-05-28build: Remove unused credentials_samba3.cAndrew Bartlett1-49/+0
This file was only used by the autoconf build system. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-04-12secrets: use lpcfg_private_db_path() convenience helper.Rusty Russell1-3/+1
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-02-28auth/pycredentials: make use of samba_tevent_context_init()Stefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-20ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'Rusty Russell1-1/+3
Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2012-11-01auth: added cli_credentials_failed_kerberos_login()Andrew Tridgell2-0/+64
this is used to support retrying kerberos connections after removing a ccache entry, to cope with a server being re-built while our client still has a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-08-31auth/credentials: Do not print passwords in a talloc memory dumpAndrew Bartlett1-0/+8
The fact that a password was created here is enough information, so overwrite with the function name and line. Andrew Bartlett
2012-08-30auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()Andrew Bartlett1-3/+8
This allows a password alone to be used to accept kerberos tickets. Of course, we need to have got the salt right, but we do not need also the correct kvno. This allows gensec_gssapi to accept tickets based on a secrets.tdb entry. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-29auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt()Andrew Bartlett1-29/+0
2012-08-29auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb recordsAndrew Bartlett1-32/+61
By checking first if there is a secrets.tdb record and passing in the password and last change time we avoid setting one series of values and then replacing them. We also avoid the need to work around the setting of anonymous. Andrew Bartlett
2012-08-29auth/credentials: Improve memory handling in cli_credentials_set_machine_accountAndrew Bartlett1-26/+26
By using a tempoary talloc context this is much tidier and more reliable code. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
2012-08-29auth/credentials: Avoid double-free in the failure caseAndrew Bartlett1-1/+1
This pointer is only valid if dbwrap_fetch returned success. Andrew Bartlett
2012-08-28auth/credentials: Rework credentials handling to try and find the most ↵Andrew Bartlett1-33/+71
recent machine pw As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb Andrew Bartlett
2012-08-28auth/credentials: Expand secrets.tdb fetch of secrets to preserve ↵Andrew Bartlett1-0/+4
workstation and realm These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails. Andrew Bartlett
2012-08-10build: rename security → samba-securityBjörn Jacke1-1/+1
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-07-19auth/credentials: Remove extra newlineAndrew Bartlett1-1/+1
2012-07-15auth/credentials: Look in the secrets.tdb for the machine accountAndrew Bartlett2-3/+50
This is for use with the -P/--machine-pass option. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
2012-05-24auth/credentials: 'workgroup' set via command line will not drop existing ccacheAlexander Bokovoy2-13/+7
The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear.
2012-05-23auth-credentials: Support using pre-fetched ccache when obtaining kerberos ↵Alexander Bokovoy1-2/+12
credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
2012-05-23auth and s4-rpc_server: Do not use features we currently can't implement ↵Simo Sorce1-1/+4
with MIT Kerbros build
2012-05-04s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.Andreas Schneider1-2/+2
Signed-off-by: Simo Sorce <idra@samba.org>
2012-04-25lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy1-0/+1
lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-23Make krb5 wrapper library common so they can be used all overSimo Sorce1-0/+1
2012-04-12srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce1-1/+2
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove dependency on credentials too.Simo Sorce1-3/+6
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce1-3/+13
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move keytab functions in a separate file.Simo Sorce2-2/+3
Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move function into more appropriate header.Simo Sorce1-8/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.Simo Sorce2-2/+4
It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make impersonate_principal_from_credentials static.Simo Sorce1-6/+0
It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-02-10credentials: Show returned error_string in debug messageAndrew Bartlett1-2/+2
2012-01-09auth/credentials Remove debug that prints in normal operationAndrew Bartlett1-1/+0
The fact that this function is unimplemented is unimportant to the callers as credential caches are not handled via the auth/credentials code in s3. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jan 9 03:24:36 CET 2012 on sn-devel-104
2011-12-28credentials: Always honour the return value of E_deshash()Andrew Bartlett1-4/+2
When this returns false, the hash value is not correct as the password could not be converted into an uppercase, 14 char or less ASCII string. Andrew Bartlett
2011-12-07s4-dns Use match-by-key in GSSAPI server if principal is not specifiedAndrew Bartlett1-3/+9
This allows dlz_bind9 to match on exactly the same key as bind9 itself Andrew Bartlett Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
2011-11-21Fix a bunch of "warning: variable ‘XXXX’ set but not used ↵Jeremy Allison2-4/+2
[-Wunused-but-set-variable]" warnings from the new gcc. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Nov 21 23:39:08 CET 2011 on sn-devel-104
2011-11-10test: fixed several tests to use samba.testsAndrew Tridgell1-2/+2
this fixes error checking. Test failures were not being detected otherwise Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-10-18build: compile gensec_start.c and credentials.c in the autoconf buildAndrew Bartlett1-0/+50
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18credentials: Prioritise command-line specified options above defaults from ↵Andrew Bartlett1-3/+15
smb.conf If a user specified -W or --realm on the command line, then this is of level SPECIFIED, not UNINITIALISED, despite it going via the loadparm system. This helps us to ensure that -W server -Ulocaluser is parsed the same as -Userver\localuser. This matters as otherwise we might instead attempt to use kerberos to the realm from the smb.conf. Andrew Bartlett
2011-10-11auth/credentials Declare remaining functions are public interfaces and put ↵Andrew Bartlett2-9/+45
into credentials.h This is in preperation for this file being used by s3, and recognises that these are all reasonable, public interfaces but were not declared as such in the past. Andrew Bartlett
2011-10-11auth: move credentials layer to the top levelAndrew Bartlett12-0/+3655
This will allow gensec_start.c to move to the top level. This does not change what code uses the cli_credentials code, but allows the gensec code to be more broadly. Andrew Bartlett