Age | Commit message (Collapse) | Author | Files | Lines |
|
We should treat most gensec related structures private.
It's a long way, but this is a start.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
NOT_IMPLEMENTED
Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
We only do this if it's still CRED_CALLBACK after the callback,
this allowes the callback to overwrite it.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is useful for testing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
cli_credentials_get_unparsed_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
This changes (again...) our system md5 detection to cope with how
OpenIndiana does md5. I'm becoming increasingly convinced this isn't
worth our while (we should have just done samba_md5...), but for now
this change seems to work on FreeBSD, OpenIndiana and Linux with
libbsd.
This needs us to rename struct MD5Context -> MD5_CTX, but we provide a
config.h define to rename the type bad if MD5_CTX does not exist (it does
however exist in the md5.h from libbsd).
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
|
|
This file was only used by the autoconf build system.
Andrew Bartlett
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
level 5
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
|
|
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
this is used to support retrying kerberos connections after removing a
ccache entry, to cope with a server being re-built while our client
still has a valid service ticket
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
changes
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
|
|
With winbindd trying to verify the signature of an application provided
PAC, this message can be easily triggered. Adjust the debug level to
avoid filling up the logs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The fact that a password was created here is enough information, so
overwrite with the function name and line.
Andrew Bartlett
|
|
This allows a password alone to be used to accept kerberos tickets.
Of course, we need to have got the salt right, but we do not need also
the correct kvno. This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
|
|
|
|
By checking first if there is a secrets.tdb record and passing in the password and last change time
we avoid setting one series of values and then replacing them. We also avoid the need to work
around the setting of anonymous.
Andrew Bartlett
|
|
By using a tempoary talloc context this is much tidier and more reliable code.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
|
|
This pointer is only valid if dbwrap_fetch returned success.
Andrew Bartlett
|
|
recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb
Andrew Bartlett
|
|
workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.
Andrew Bartlett
|
|
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
|
|
This avoids a smb_panic at log level = 10.
If we don't have a talloc stackframe yet.
metze
|
|
Found with -Werror=pointer-arith
Andrew Bartlett
|
|
|
|
This is for use with the -P/--machine-pass option.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
|
|
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
|
|
|
|
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.
The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
We need to initialize variables before using gss_get_name_attribute()
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
|
|
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.
The commit also reverts previous fix now that root cause is clear.
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
|
|
with MIT Kerbros build
|
|
metze
|
|
metze
|
|
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
|