| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
|
|
|
|
|
|
This is in preperation for the parameter table being made common.
Andrew Bartlett
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
|
|
lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
|
|
HAVE_KRB5 already implies that GSSAPI is present as well.
Andrew Bartlett
|
|
This allows us to use the shared gensec_wrap() implementation already used by the
smb sealing code, as well as making this code more generic.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
There is no need to mask out these flags as they simply are not set
yet.
The correct abstraction is to ask for NTLMSSP features.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.
Andrew Bartlett
|
|
|
|
Guenther
|
|
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
|
|
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
|
|
<andreas.moroder@gmx.net>".
Jeremy.
|
|
Guenther
|
|
contexts.
Jeremy.
|
|
context tallocs.
Jeremy.
|
|
use of malloc, and data_blob().
Jeremy.
|
|
as this correctly describes what this function does.
Jeremy.
|
|
but a TokenInit one.
Move to using spnego_gen_negTokenInit() instead.
Jeremy
|
|
We now have one function to do this in all calling code. More rationalization
to follow.
Jeremy.
|
|
negTokenInit's here. Use common code in spnego_parse_negTokenInit().
Jeremy.
|
|
All the members are children of ntlmssp_state anyway.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This ensures the results can't be easily left to leak.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
The code is not yet in common, but I hope to fix that soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED,
if "client ldap sasl wrapping = plain", instead of failing we now
autoupgrade to "client ldap sasl wrapping = sign" for the given connection.
metze
|
|
Inspired by the NTLMSSP merge work by Andrew Bartlett.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Andrew Bartlett
|
|
Guenther
|
|
Guenther
|
|
"status" was used uninitialized on success -- metze, please check
(This used to be commit a0859529c853ffb756b1deee946923b6fff6136e)
|
|
metze
(This used to be commit b55b19190d9c1199be13727a75a5936d6f5f15a8)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit 3e155b249e03cc9f7bd0cbf3a3ab8a57536bf0ce)
|
|
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
|
|
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
|
|
warnings
for clock-skew errors.
Guenther
(This used to be commit 53c99d415d605ab03e3646f6096aff794457dd33)
|
|
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
(This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c)
|
|
Guenther
(This used to be commit 2dea9464bba76af4315a8207ccd3e564ec19d146)
|
|
Guenther
(This used to be commit f31949ec3456134de474a0219a8cd5dcd15adea6)
|
|
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
(This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
|
|
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
(This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
|
|
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
(This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
|
|
metze
(This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
|
|
metze
(This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
|
|
libraries support wrapping hooks...
metze
(This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
|
|
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
(This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
|
|
construct the principal
metze
(This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
|
|
metze
(This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
|
