Age | Commit message (Collapse) | Author | Files | Lines |
|
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This is clearly a utiliy function generic to gensec. Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Mar 17 03:21:06 CET 2012 on sn-devel-104
|
|
We already confirm that we have this functionality before we set HAVE_KRB5 at
configure time.
Andrew Bartlett
|
|
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
|
|
gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.
Andrew Bartlett
|
|
|
|
|
|
All our supported krb5 libs provide this.
Andrew Bartlett
|
|
|
|
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes. Also, the smb sealing client/server already check for the
gensec_have_feature().
This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
|
|
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as
it (reasonably, I suppose) invalidates the gssapi context on which it
is called. Instead, we look to the type of session key which is
negotiated, and see if it not AES (or newer).
If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO
so that we know to generate valid mechListMic values in SPNEGO.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This matches the behavior of ads_verify_ticket().
Note that ads_verify_ticket() calls krb5_to_nt_status(), but
as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL.
ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104
|
|
metze
|
|
metze
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The validation of the mutual authentication reply produces no further
data to send to the server.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
It up to the client to ask for GSS_C_MUTUAL_FLAG,
except for the dcerpc case, where the server is stricter.
metze
|
|
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it.
metze
|
|
The only user for this flag is called only directly after it was set.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec
is expecting in any case.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This make it clearer what type of flags these are and matches
gensec_gssapi
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
metze
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The GSE layer is now used via the GENSEC module, so we do not need these
functions exposed any more.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This brings in part of the s4 gensec_gssapi as the boilerplate for the
new module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'.
metze
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This allows gse_get_session_key() to work against Heimdal.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
We detect this function at configure time, but it currently fails to
operate the way we need - that is, when the principal is not
specified, it gives this error. When the principal is specified we
get 'wrong principal in request' in the GSS acceptor, so for now the
best option is to fall back to the alternate approach.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104
|
|
We may not be able to obtain the full error string, so print what we can get.
This is required when the error is the the GSSAPI layer, not the mechanism.
Andrew Bartlett
|
|
These come in via the smb_krb5.h include (and lib/replace/system/kerberos.h)
in the end.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue May 10 23:12:31 CEST 2011 on sn-devel-104
|
|
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 23:08:48 CEST 2011 on sn-devel-104
|
|
This is constant data according to the man pages I find for this
fucntion, and causes a segfault to free() when linked to Heimdal. I
am advised that while it is constant for gss_mech_krb5, it may not be
for other mechanisms, so an assert will ensure this is dealt with by
the programmer who extends this code in future.
Andrew Bartlett
|
|
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.
We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.
Andrew Bartlett
|
|
This Heimdal function does not set the global state, and allows the
GSSAPI server to progress further when compiled against Heimdal (such
as in the top level build).
The ability to specify a keytab has been removed from the API as it is
unused, and and the Heimdal function (avoiding setting global
variables) works with an open keytab.
Andrew Bartlett
|
|
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|