summaryrefslogtreecommitdiff
path: root/source3/librpc
AgeCommit message (Collapse)AuthorFilesLines
2012-02-16s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGOAndrew Bartlett1-67/+69
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as it (reasonably, I suppose) invalidates the gssapi context on which it is called. Instead, we look to the type of session key which is negotiated, and see if it not AES (or newer). If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO so that we know to generate valid mechListMic values in SPNEGO. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16s3-librpc: Remove unused bool gensec_hookAndrew Bartlett1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-26s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERRORStefan Metzmacher1-2/+2
This matches the behavior of ads_verify_ticket(). Note that ads_verify_ticket() calls krb5_to_nt_status(), but as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL. ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104
2012-01-25s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()Stefan Metzmacher1-0/+55
metze
2012-01-20s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAGStefan Metzmacher1-0/+6
metze
2012-01-20s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytabStefan Metzmacher1-6/+234
metze
2012-01-20s3-gse: create memory keytab in gse_krb5_get_server_keytab()Stefan Metzmacher1-27/+25
The other functions just add entries to it. metze
2012-01-20s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()Stefan Metzmacher1-6/+13
metze
2012-01-18s3-gse: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett1-7/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse: Make gensec_gse cope with non-DCE GSSAPIAndrew Bartlett1-5/+8
The validation of the mutual authentication reply produces no further data to send to the server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse: the server should not check for GSS_C_MUTUAL_FLAGStefan Metzmacher1-6/+0
It up to the client to ask for GSS_C_MUTUAL_FLAG, except for the dcerpc case, where the server is stricter. metze
2012-01-18s3-gse: verify that we got GSS_C_DCE_STYLE when expectedStefan Metzmacher1-0/+11
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it. metze
2012-01-18s3-gse Remove authenticated flag from gseAndrew Bartlett1-7/+0
The only user for this flag is called only directly after it was set. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse remove special more_processing hook from gseAndrew Bartlett1-12/+2
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec is expecting in any case. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Rename gss_c_flags and ret_flags in gseAndrew Bartlett1-18/+18
This make it clearer what type of flags these are and matches gensec_gssapi Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Rename gss_ctx to match gensec_gssapi_contextAndrew Bartlett1-17/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Rename delegated_creds to match gensec_gssapi_contextAndrew Bartlett1-4/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse gss_wrap_iov_length() only needs the type and lengthStefan Metzmacher1-2/+4
metze
2012-01-18s3-gse Make seal parameter a boolean for clarityAndrew Bartlett1-2/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Remove special case for spnego session keyAndrew Bartlett2-15/+0
SPNEGO is implemented only in terms of gensec mechanisms now. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Remove special case for spnego dcerpc sign/sealAndrew Bartlett1-92/+18
SPNEGO is implemented only in terms of gensec mechanisms now. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Move GSS_C_DCE_STYLE backup definition to gse.cAndrew Bartlett2-4/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Add constAndrew Bartlett1-4/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Remove or make static unused/local-only GSE functionsAndrew Bartlett2-270/+33
The GSE layer is now used via the GENSEC module, so we do not need these functions exposed any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Remove layer around struct gensec_securityAndrew Bartlett2-11/+9
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc: Simplify SPNEGO code now that all mechs use a struct gensec_securityAndrew Bartlett3-80/+28
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensecAndrew Bartlett3-120/+19
This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Allow spnego_generic_init_client to handle kerberos tooAndrew Bartlett1-0/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-librpc Call GSSAPI via the auth_generic layer and gensecAndrew Bartlett1-108/+3
This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped when required for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse Make gse available as a gensec client moduleAndrew Bartlett2-1/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-gse: Add gensec wrapper for gse GSSAPI clientAndrew Bartlett1-0/+440
This brings in part of the s4 gensec_gssapi as the boilerplate for the new module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-12s3: Put an indirection layer into share_mode_lockVolker Lendecke1-1/+1
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-11s3-librpc Supply target service and server to spnego_generic_init_client()Andrew Bartlett2-0/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11s3-librpc: Rename spnego_ntlmssp_init_client and make genericAndrew Bartlett2-4/+15
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11s3-librpc: rename get_ntlmssp_auth_footer to be more genericAndrew Bartlett1-5/+5
This can handle any gensec auth type now. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11s3-librpc Return user principal name on supplied mem_ctxAndrew Bartlett1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06s3-libsmb Make auth_ntlmssp client more genericAndrew Bartlett1-12/+13
As well as renaming, this allows us to start the mech by DCE/RPC auth type or OID. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-librpc remove unused headersAndrew Bartlett1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()Stefan Metzmacher1-1/+1
gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'. metze
2012-01-05s3-librpc store the sign/seal flags we got in the gssapi clientAndrew Bartlett1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-libads Factor out a new routine ↵Andrew Bartlett1-3/+11
kerberos_get_principal_from_service_hostname() This is now used in the GSE GSSAPI client, so that when we connect to a target server at the CIFS level, we use the same name to connect at the DCE/RPC level. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-librpc Use gsskrb5_get_subkey() where available to get the session keyAndrew Bartlett1-0/+15
This allows gse_get_session_key() to work against Heimdal. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22s3-librpc Use gensec_sig_size() instead of a fixed NTLMSSP_SIG_SIZEAndrew Bartlett1-2/+7
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Dec 22 20:57:27 CET 2011 on sn-devel-104
2011-12-22s3-auth rename auth_ntlmssp_state -> auth_generic_stateAndrew Bartlett1-1/+1
This structure handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-13s3: Convert open_files.idl to tab indentsVolker Lendecke1-34/+34
2011-12-13s3:messaging.idl: obsolete unused MSG_SMB_SAM_*Stefan Metzmacher1-2/+2
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Dec 13 14:13:38 CET 2011 on sn-devel-104
2011-12-02s3: Use autogenerated open_files.idlVolker Lendecke2-1/+6
2011-12-02s3: Add open_files.idlVolker Lendecke1-0/+48
2011-10-31s3: Remove some leftovers of old ctdb tdb2 codeVolker Lendecke1-16/+1
2011-10-21s3-ntlmssp Remove references to auth_ntlmssp_context from the rpc codeAndrew Bartlett3-32/+35
We always dereferenced auth_ntlmssp_state->gensec_security, so now we do not bother passing around the whole auth_ntlmssp_state. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
generated by cgit (git 2.34.1) at 2024-06-30 23:19:33 +0000