summaryrefslogtreecommitdiff
path: root/source3/libads/sasl.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r24251: Neverending fun:Günther Deschner1-1/+1
Heimdal doesn't accept all OIDs and gss_import_name() fails with GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1). Guenther (This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
2007-10-10r24131: - make it more clear what the different min and max fields meanStefan Metzmacher1-33/+44
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation is independed from the req_flags and ret_flags - verify the server supports the wrapping type we want - better handling on negotiated buffer sizes metze (This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
2007-10-10r24128: fix double free in error pathStefan Metzmacher1-6/+7
metze (This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
2007-10-10r24104: fix the build, sorry...Stefan Metzmacher1-3/+4
metze (This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
2007-10-10r24103: add some useful debug messages, as not all LDAPStefan Metzmacher1-3/+19
libraries support wrapping hooks... metze (This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
2007-10-10r24098: - make use of the ads_service_principal abstractionStefan Metzmacher1-61/+32
also for the "GSSAPI" sasl mech. - also use the ads_kinit_password() fallback logic from the "GSS-SPNEGO" sasl mech. metze (This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
2007-10-10r24095: add one more fallback alternative toStefan Metzmacher1-0/+20
construct the principal metze (This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
2007-10-10r24093: move gssapi/krb5 principal handling into a functionStefan Metzmacher1-88/+146
metze (This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
2007-10-10r24062: fix logic for broken krb5 libs which always forceStefan Metzmacher1-1/+2
sign and seal... metze (This used to be commit 4a4fc8cccbcbe17eebcefcd0107f7de60d751f5c)
2007-10-10r24042: add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"Stefan Metzmacher1-1/+309
metze (This used to be commit 34ab84aceb86195743abd26c46a631640409725e)
2007-10-10r24037: only setup sasl wrapping after a successful bindStefan Metzmacher1-2/+4
metze (This used to be commit 85d6cd3dfb5cbd9e899957265e352583ff608ed4)
2007-10-10r23953: Some C++ warningsVolker Lendecke1-3/+6
(This used to be commit 8716edf157bf8866328f82eb6cf25e71af7fea15)
2007-10-10r23948: add gsskrb5 sign and seal support for LDAP connectionsStefan Metzmacher1-5/+135
NOTE: only for the "GSSAPI" SASL mech yet metze (This used to be commit a079b66384b15e9d569dded0d9d6bd830e1a6dfa)
2007-10-10r23946: add support for NTLMSSP sign and sealStefan Metzmacher1-1/+122
NOTE: windows servers are broken with sign only... metze (This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
2007-10-10r23945: add infrastructure to select plain, sign or seal LDAP connectionStefan Metzmacher1-0/+8
metze (This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
2007-10-10r23888: move elements belonging to the current ldap connection to aStefan Metzmacher1-6/+6
substructure. metze (This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-9/+9
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't criticalStefan Metzmacher1-5/+10
because we try "GSS-SPNEGO" first and all windows version support that. metze (This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
2007-10-10r22092: - make spnego_parse_auth_response() more generic andStefan Metzmacher1-1/+1
not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
2007-10-10r22079: Tsk, tsk, Metze didn't compile before check-in :-).Jeremy Allison1-1/+1
Merge the memory leak fix (with fix :-) to 3.0.25. Jeremy. (This used to be commit ab3150fe4ed2a629eb371db5f43ae09b9c583a64)
2007-10-10r22078: fix memory leak in not often used code, we only use it if the serverStefan Metzmacher1-3/+3
doesn't support GSS-SPNEGO in SASL can someone please review this, maybe it's also for 3.0.25 metze (This used to be commit 8c6930b7013b185af0530b04a7d5a49bc2ce7831)
2007-10-10r21850: After Jerry explained to me the HORRIBLE way in whichJeremy Allison1-5/+15
the MIT gss libraries *SUCK*, move the frees to the end of the function so MIT doesn't segfault..... Add a comment so that another engineer knows why I did this. Jeremy. (This used to be commit 1a2be06d4a1131952a97f94b05ae69b1dce4c300)
2007-10-10r21847: Fix memory leaks in error paths (and in main code path in one case...)Jeremy Allison1-5/+13
in sasl bind. Wonder why coverity didn't find these ? Jeremy. (This used to be commit 89bdd30e4b2bb9dbc2ab57c54be8c6d01cae5a26)
2007-10-10r21273: * Protect the sasl bind against a NULL principal stringGerald Carter1-1/+29
in the SPNEGO negTokenInit (This used to be commit fe70c224964bf15d626bfd4e0cc6d060e45bba87)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-2/+6
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21046: Backing out svn r20403 (Andrew's krb5 ticket cleanupGerald Carter1-0/+11
as this is causing the WRONG_PASSWORD error in the SetUserInfo() call during net ads join). We are now back to always list RC4-HMAC first if supported by the krb5 libraries. (This used to be commit 4fb57bce87588ac4898588ea4988eadff3a7f435)
2007-10-10r20403: Cleaning out my Samba 3.0 tree:Andrew Bartlett1-11/+0
As discussed with jerry at the CIFS conf: overriding the administrator's wishes from the krb5.conf has only every given me segfaults. We suggest leaving this up to the defaults from the libraries anyway. Andrew Bartlett (This used to be commit 0b72c04906b1c25e80b217a8f34fd3a8e756b9ca)
2007-10-10r20132: get rid of defined but not used warning - static function only usedHerb Lewis1-0/+2
inside the #ifdef HAVE_KRB5 (This used to be commit c6cdf76c5809b4a4b145acb7dd4a695aaf7fcd28)
2007-10-10r18047: More C++ stuffVolker Lendecke1-3/+3
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-1/+1
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r17899: Fix Stanford checker bug - possible null deref.Jeremy Allison1-2/+5
Jeremy. (This used to be commit e77949175144cbe4cfa58788d13acc704eebc251)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-2/+0
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-1/+1
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-5/+18
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13137: make cleare where long ifdefs endsSimo Sorce1-2/+2
(This used to be commit 58e48fef450f71ac15219f73897801c5a66a2c44)
2007-10-10r11504: Added Andrew Bartletts removal of another NTLMSSP implementationJeremy Allison1-85/+89
patch. Jeremy. (This used to be commit 4591984176fd32ba25155fbc6889a1c637019a08)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1/+1
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r8989: Fix a warningVolker Lendecke1-1/+1
(This used to be commit 3d491ebf9ca8edae938aee08abb924905fd83deb)
2007-10-10r7139: trying to reduce the number of diffs between trunk and 3.0; changing ↵Gerald Carter1-4/+1
version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+4
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r5952: BUG 2469: patch from Jason Mader to cleanup compiler warning when not ↵Gerald Carter1-0/+4
using krb5 (This used to be commit 19a639ac468237b22f16d917c0150fbf10c9623e)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-1/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r1378: Better debugging so I don't get confused what principal we mean.Jeremy Allison1-2/+2
Jeremy. (This used to be commit de80e8b1698d34637cf9c105a8fe02f435d83b02)
2007-10-10r541: fixing segfault in winbindd caused -r527 -- looks like a bug in ↵Gerald Carter1-1/+1
heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
2007-10-10r533: More memory leak fixes from kawasa_r@itg.hitachi.co.jp. I need toJeremy Allison1-8/+32
valgrind winbindd with these in.... Jeremy. (This used to be commit fa4774b73d338a0c0df09f23cd738279bf4e71a2)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-5/+12
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-08-15s/OM_uint32//uint32/gGerald Carter1-2/+2
(This used to be commit f8a092e7b42cd157cf86240984be40badd0afd87)
2003-08-15get rid of more compiler warningsHerb Lewis1-8/+8
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)