summaryrefslogtreecommitdiff
path: root/auth
AgeCommit message (Collapse)AuthorFilesLines
2012-05-23auth-credentials: Support using pre-fetched ccache when obtaining kerberos ↵Alexander Bokovoy1-2/+12
credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
2012-05-23auth and s4-rpc_server: Do not use features we currently can't implement ↵Simo Sorce1-1/+4
with MIT Kerbros build
2012-05-17auth/gensec: implement gensec_spnego_expire_time()Stefan Metzmacher1-0/+12
metze
2012-05-17auth/gensec: add gensec_expire_time()Stefan Metzmacher2-0/+12
metze
2012-05-04s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.Andreas Schneider1-2/+2
Signed-off-by: Simo Sorce <idra@samba.org>
2012-04-25lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy3-1/+3
lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-23Make krb5 wrapper library common so they can be used all overSimo Sorce4-4/+56
2012-04-12srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce1-1/+2
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Move pac related util functions in a single place.Simo Sorce4-11/+78
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Make functions static.Simo Sorce3-100/+2
The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Use simpler method to extract keytype.Simo Sorce1-19/+12
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Nove oid packet check to gensec_util.Simo Sorce4-21/+47
This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove dependency on credentials too.Simo Sorce1-3/+6
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce1-3/+13
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move keytab functions in a separate file.Simo Sorce2-2/+3
Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move function into more appropriate header.Simo Sorce1-8/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.Simo Sorce2-2/+4
It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make impersonate_principal_from_credentials static.Simo Sorce1-6/+0
It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12gensec_gssapi: keep private header file close to the actual codeSimo Sorce1-70/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-03-15auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse ↵Stefan Metzmacher1-1/+1
code anymore metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-03-09auth/ntlmssp: Remove reference to struct ntlmssp_stateAndrew Bartlett1-6/+1
2012-03-09auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_stateAndrew Bartlett4-8/+5
This just means there is one less pointer to ensure we initialise. Andrew Bartlett
2012-03-08auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key typeAndrew Bartlett1-4/+23
The key type OID is optional, but we require that information to determine if we should use NEW_SPNEGO. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
2012-03-08auth/kerberos: Ensure we do not print invalid memory in failure caseAndrew Bartlett1-4/+1
This codeblock may not have any set->elements, so we should not print them. Copy&paste in the original code. Andrew Bartlett
2012-02-24auth: Remove plugable password-check functions from gensec_ntlmsspAndrew Bartlett5-228/+105
The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-24auth: consolidate gensec_ntlmssp_server wrapper functionsAndrew Bartlett2-50/+18
2012-02-24s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-sideAndrew Bartlett2-0/+13
This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-24auth: Rename some elements of auth4_contextAndrew Bartlett2-17/+17
These operate on NTLM authentication, so make that clear. Andrew Bartlett
2012-02-18auth: Reorder arguments to generate_session_infoAndrew Bartlett2-3/+3
This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-17auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3Andrew Bartlett2-2/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17auth: Make more of the ntlmssp code private or staticAndrew Bartlett3-96/+64
Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Provide a way to specify the NTLMSSP server name to GENSECAndrew Bartlett2-17/+40
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Rearrange ntlmssp code for clarityAndrew Bartlett1-9/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Set NTLMSSP_NEGOTIATE_SIGN when session key support is requiredAndrew Bartlett1-0/+3
This matches the s3 NTLMSSP server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_serverAndrew Bartlett2-4/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmssp server functions for more of ↵Andrew Bartlett2-7/+47
gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett1-0/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Cope with NO_USER_SESSION_KEY from security=serverAndrew Bartlett1-2/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth: Move the rest of the source4 gensec_ntlmssp code to the top levelAndrew Bartlett6-2/+1099
The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett1-3/+0
auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett1-0/+113
gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
2012-02-13auth: Pass in the SMB username (for %U) into generate_session_infoAndrew Bartlett1-0/+1
This matches what Samba3 does. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
2012-02-10gensec: explain gensec_use_kerberos_mechs() logicAndrew Bartlett1-1/+16
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechsAndrew Bartlett1-1/+5
This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett
2012-02-10Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"Andrew Bartlett1-2/+1
This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett
2012-02-10credentials: Show returned error_string in debug messageAndrew Bartlett1-2/+2
2012-02-09gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke1-1/+2
Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
2012-02-08auth: rename ntlmssp.c to ntlmssp_util.cAndrew Bartlett2-1/+1
2012-01-30gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2-34/+0
This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30auth: Make check_password and generate_session_info hook genericAndrew Bartlett2-6/+4
gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett