Age | Commit message (Collapse) | Author | Files | Lines |
|
This uses the common gensec_ntlmssp server code for ntlm_auth, removing
the last non-gensec use of the NTLMSSP server.
Andrew Bartlett
|
|
These operate on NTLM authentication, so make that clear.
Andrew Bartlett
|
|
This matches check_ntlm_password() and generate_session_info_pac()
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
|
|
Now that there is only one gensec_ntlmssp server, some of these functions can be static
For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller
knows better. This will allow preservation of current s3 behaviour.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This matches the s3 NTLMSSP server.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this
code is looking for.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess. We will also get the client code in common very soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
auth4_context
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.
Andrew Bartlett
|
|
This matches what Samba3 does.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
|
|
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.
Andrew Bartlett
|
|
This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d.
The real bug here is that the second half of the outer loop should not
have been run once we found spnego.
Andrew Bartlett
|
|
|
|
Without this I get the following valgrind error:
==27740== Invalid write of size 8
==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740== by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740== by 0x585C00: process_smb (process.c:1641)
==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740== by 0x58B2D9: smbd_process (process.c:3389)
==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740== by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740== by 0xDE6DD8: main (server.c:1413)
==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740== by 0x6926965: __talloc (talloc.c:560)
==27740== by 0x6926771: talloc_pool (talloc.c:598)
==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740== by 0x58B2B7: smbd_process (process.c:3385)
==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740== by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740== by 0xDE6DD8: main (server.c:1413)
In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
|
|
|
|
This avoids casting to and from the struct auth_user_info_dc *user_info_dc
to to this, the
if (user_info_dc->info->authenticated)
is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.
Andrew Bartlett
|
|
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info. This will allow the
calling logic to be put in common.
Andrew Bartlett
|
|
There is no need to return the PAC signatures via the special-purpose
torture element. Instead, use a private pointer on the auth_context
in conjunction with the private PAC processing method.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
|
|
Both use gss_krb5_lucid_context_v1_t now.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
|
|
metze
|
|
This makes the dependencies easier to handle.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
This is only a hint for the backend, which may want to fragment
update tokens.
metze
|
|
|
|
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This make it clearer what type of flags these are.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
To do this some defines need to move to common_auth.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The fact that this function is unimplemented is unimportant to the callers
as credential caches are not handled via the auth/credentials code in s3.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan 9 03:24:36 CET 2012 on sn-devel-104
|
|
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.
Thankyou Simo for the suggestion.
Andrew Bartlett
|
|
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
|
|
|
|
This will help with writing a gensec module for the s3 gse layer.
Andrew Bartlett
|
|
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.
Andrew Bartlett
|
|
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()
Andrew Bartlett
|
|
This allows dlz_bind9 to match on exactly the same key as bind9 itself
Andrew Bartlett
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
|
|
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.
Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
|