summaryrefslogtreecommitdiff
path: root/source3/libsmb/clikrb5.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-13sync HEAD with recent changes in 3.0Gerald Carter1-11/+13
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
2003-11-22(merge from 3.0)Andrew Bartlett1-8/+8
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-10/+10
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-8/+28
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-15/+15
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-02-25Fix unused variable warning when ENCTYPE_ARCFOUR_HMAC is not defined.Tim Potter1-0/+2
(This used to be commit 92abafa62894a125c5a09fc92f5056e4d8b51089)
2003-02-24Clean up non-krb5 breakages from my modifications to luke howard's patch.Andrew Bartlett1-7/+1
Andrew Bartlett (This used to be commit 32fd0c49009e38022523cc5c14567dd55de08206)
2003-02-24Patch from Luke Howard to add mutual kerberos authentication, and SMB sessionAndrew Bartlett1-9/+47
keys for kerberos authentication. Andrew Bartlett (This used to be commit 8b798f03dbbdd670ff9af4eb46f7b0845c611e0f)
2003-02-21Fix IRIX build...void fn can't return another void fnJim McDonough1-1/+2
(This used to be commit df3c7c9cbb275e9c35356b4f1cab1a741de6f500)
2003-02-19Can't return SAFE_FREE...put on its own line.Jim McDonough1-1/+2
(This used to be commit 9f1a4809b503f050189d5f87a294b7d8675b1e95)
2003-02-19Correct way to keep fucntion from proto.hJim McDonough1-7/+4
(This used to be commit 762b072efb0d6801775a874494cb19ea3d61fa97)
2003-02-19Get non-krb systems to compile. How the heck do I keep something from being ↵Jim McDonough1-8/+9
sucked into proto.h? (This used to be commit 7e84497882df5bf933ab7ae7fe9af3728393202c)
2003-02-19Try to get heimdal working with HEAD.Jim McDonough1-4/+34
- Provide generic functions for - get valid encryption types - free encryption types - Add encryption type parm to generic function create_kerberos_key_from_string() - Try to merge the two versions (between HEAD and SAMBA_3_0) of kerberos_verify.c I think this should work for both MIT and heimdal, in HEAD. If all goes smooth, I'll move it over to 3.0 soon... (This used to be commit 45e409fc8da9f26cf888e13d004392660d7c55d4)
2003-02-15Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enableAndrew Bartlett1-1/+1
users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett (This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
2003-01-30Stop tpot from trampling over my Heimdal fixes by moving some of themJeremy Allison1-0/+122
to HEAD :-). Jeremy. (This used to be commit 1fec0f50ed0e750afec5cdf551fcd37ef4858e94)
2003-01-21Fixup proto generation to not include krb5 specific symbolsJeremy Allison1-5/+5
if no kerberos selected. Noticed by Metze. Jeremy. (This used to be commit 1684719695acb7168115b032fc1ec672509239ea)
2003-01-21More fixes getting us closer to full Heimdal compile....Jeremy Allison1-0/+20
Jeremy. (This used to be commit 193cc4f4fc876c66e97ea6b82bae431d0247c1fa)
2003-01-20should be HAVE_KRB5_SET_REAL_TIME (HAVE_ was missing)...fix the buildJim McDonough1-1/+1
(This used to be commit aceaaad1c2efce41fe0e03655b0ca0583788d7ab)
2003-01-19Merge in more of the SuSE patches for Heimdal. These changes show howJeremy Allison1-0/+29
to add a function without an explicit #ifdef HEIMDAL which I'm trying to avoid. Jeremy. (This used to be commit 77aeb262ef7c7cd3d206afe2d5445caaca943dfd)
2003-01-02One more const. Andrew, you seem to have krb5 :-)Volker Lendecke1-1/+1
Volker (This used to be commit f5494f5ef6a14020bd31541b1f87d48111f60ad8)
2003-01-02BIG patch...Andrew Bartlett1-1/+1
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-11-15fix segfaultGerald Carter1-1/+3
(This used to be commit 32ca3afa5486b1b04118e9f144bfdf4b3702d118)
2002-09-18Fixed compiler error when HAVE_KRB5 not defined.Tim Potter1-1/+1
(This used to be commit 66c2e25079b348188abd48868300771b1e49fff3)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-1/+13
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-04don't use ENCTYPE_ARCFOUR_HMAC unless the kerberos lib supports itAndrew Tridgell1-5/+4
(This used to be commit 13dc9e37d2422c45ac5005dce26b349f88dbe505)
2002-08-30convert the LDAP/SASL code to use GSS-SPNEGO if possibleAndrew Tridgell1-1/+7
we now do this: - look for suported SASL mechanisms on the LDAP server - choose GSS-SPNEGO if possible - within GSS-SPNEGO choose KRB5 if we can do a kinit - otherwise use NTLMSSP This change also means that we no longer rely on having a gssapi library to do ADS. todo: - add TLS/SSL support over LDAP - change to using LDAP/SSL for password change in ADS (This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-2/+2
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-11-28fixed some krb5 ifdefsAndrew Tridgell1-1/+1
(This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe)
2001-11-24added "net join" commandAndrew Tridgell1-0/+7
this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
2001-10-21Ok, I know it's a language thing and it shouldn't matter.... but a kerberosJeremy Allison1-6/+6
name is a "principal", not a principle. English majors will complain :-). Jeremy. (This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524)
2001-10-21Fix for compilation on non-krb5 systemsAndrew Bartlett1-1/+1
(This used to be commit 44bdb8b12b3d6a7bf3148c2ac651a79f10776db6)
2001-10-21made smbclient cope better with arbitrary principle formsAndrew Tridgell1-7/+5
(This used to be commit d1341d74b7aa5f6b3f72e5409b245f87f1ad670b)
2001-10-20better krb5 error handling (thanks andrewb!)Andrew Tridgell1-7/+16
(This used to be commit fd3a3daef3b8f7140e7006d30d23d739ac3aad2f)
2001-10-18the beginnings of kerberos support in smbd. It doesn't work yet, butAndrew Tridgell1-3/+1
it should give something for others to hack on and possibly find what I'm doing wrong. (This used to be commit 353c290f059347265b9be2aa1010c2956da06485)
2001-10-16fix heimdal compilationAndrew Tridgell1-1/+2
(This used to be commit 888183a17cfb12c0cbf7d1ed515064d6f1716114)
2001-10-12added NTLMSSP authentication to libsmb. It seems to work well so I have ↵Andrew Tridgell1-213/+8
enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM (This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757)
2001-10-11improve the error handling in the ASN1 code a bitAndrew Tridgell1-14/+22
(This used to be commit 8b692d8326a1548a7dbbd2cecee9ece6aa60473a)
2001-10-11added a ASN.1 parser, so now I can properly parse the negTokenInitAndrew Tridgell1-59/+120
packet which means I can extract the service and realm, so we should now work with realms other than the local realm. it also means we now check the list of OIDs given by the server just in case it says that it doesn't support kerberos. In that case we should fall back to NTLMSSP but that isn't written yet. (This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291)
2001-10-11fixed some memory leaks, started adding asn1 decoder for server sideAndrew Tridgell1-4/+6
(This used to be commit 919734c1a6fd8b3bd0e12e96d878f47b6d6ff5e0)
2001-10-11initial kerberos/ADS/SPNEGO support in libsmb and smbclient. ToAndrew Tridgell1-0/+267
activate you need to: - install krb5 libraries - run configure - build smbclient - run kinit to get a TGT - run smbclient with the -k option to choose kerberos auth (This used to be commit d33057585644e1337bac743e25ed7653bfb39eef)