summaryrefslogtreecommitdiff
path: root/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2-0/+47
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-06-06auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()Alexander Bokovoy1-2/+18
gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
2012-05-23gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-25lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2-1/+2
lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-23Make krb5 wrapper library common so they can be used all overSimo Sorce3-4/+55
2012-04-12auth-krb: Move pac related util functions in a single place.Simo Sorce4-11/+78
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Make functions static.Simo Sorce3-100/+2
The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Use simpler method to extract keytype.Simo Sorce1-19/+12
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Nove oid packet check to gensec_util.Simo Sorce1-20/+0
This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-03-08auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key typeAndrew Bartlett1-4/+23
The key type OID is optional, but we require that information to determine if we should use NEW_SPNEGO. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
2012-03-08auth/kerberos: Ensure we do not print invalid memory in failure caseAndrew Bartlett1-4/+1
This codeblock may not have any set->elements, so we should not print them. Copy&paste in the original code. Andrew Bartlett
2012-02-17auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett1-0/+113
gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett1-6/+3
2012-01-11auth/kerberos: Remove unused headers from gssapi_parse.cAndrew Bartlett1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-29auth/kerberos: Rename memory contexts for greater clarityAndrew Bartlett1-34/+34
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29auth/kerberos: Make pac_data_out in kerberos_decode_pac() optionalAndrew Bartlett1-3/+32
2011-12-28auth/kerberos: Move gssapi_parse.c to the top levelAndrew Bartlett2-2/+121
This will help with writing a gensec module for the s3 gse layer. Andrew Bartlett
2011-10-06Add missing com_err dependenciesEwoud Kohl van Wijngaarden1-1/+1
Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Oct 6 02:10:21 CEST 2011 on sn-devel-104
2011-06-15auth/kerberos/gssapi_pac: fix compiler warningsStefan Metzmacher1-6/+5
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
2011-05-07Fix Samba3 on OpenIndiana.Gordon Ross1-0/+24
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs. Attached are some patches to do that. (relative to git master) It does not build for me without these. (OpenIndiana is an off-shoot of OpenSolaris See http://www.openindiana.org) Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat May 7 02:20:14 CEST 2011 on sn-devel-104
2011-04-27auth/kerberos Add check for gss_inquire_sec_context_by_oidAndrew Bartlett1-4/+10
Not all kerberos distributions have this function. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
2011-04-27auth/kerberos Move all the PAC handling functions to auth/kerberosAndrew Bartlett2-1/+365
2011-04-27auth/kerberos: Create common helper to get the verified PAC from GSSAPIAndrew Bartlett2-0/+126
This only works for Heimdal and MIT Krb5 1.8, other versions will get an ACCESS_DEINED error. We no longer manually verify any details of the PAC in Samba for GSSAPI logins, as we never had the information to do it properly, and it is better to have the GSSAPI library handle it. Andrew Bartlett