summaryrefslogtreecommitdiff
path: root/source3/libsmb/clikrb5.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r221: Remainder of bug 1208. We do not remove creds from _any_ FILE ccache,Jim McDonough1-17/+40
because not only does it not work on Heimdal, but also since ccaches created within samba are memory-based, so we shouldn't touch a FILE-based one (it was probably created via kinit or similar). (This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459)
2007-10-10r219: Obtain new tickets if current ones are expired. Next part of fix forJim McDonough1-12/+36
bug 1208. Based on a fix from Guether Deschener. Outstanding pieces: - Heimdal FILE-based ccaches don't actually remove creds properly, so we need to code a check for this - what if ticket expires between our check and when we use it? Guenther has coded up fixes for these parts, but I still need to review them, as I'm not totally comfortable with the solutions. (This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-11/+13
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-8/+8
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-15Fix memleaks.Volker Lendecke1-1/+3
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis1-1/+1
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-14Change Samba to always use extended security for it's guest logins, (ie,Andrew Bartlett1-7/+5
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
2003-08-04Fix unused variable warning.Tim Potter1-1/+1
(This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-8/+15
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-16Add krb5_princ_component to Heimdal. Remove cli_ from mark packet signed.Jeremy Allison1-0/+13
Jeremy. (This used to be commit dd46f8b22d6e8411081a1279e1cd32929e40370b)
2003-06-10use ZERO_STRUCT() instead of memsetAndrew Tridgell1-1/+1
(This used to be commit 082084042307f5f7d532b28debdeac11753a05f9)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-14/+14
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-03-17Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard'sAndrew Bartlett1-9/+43
session key and auth verifier patches. Andrew Bartlett (This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
2003-02-21Fix IRIX build...void fn can't return another void fnJim McDonough1-1/+2
(This used to be commit e0c1f9ef61a0ec4f06a0b0e257497943195b5297)
2003-02-19Sync with HEAD for verifying kerberos tickets.Jim McDonough1-4/+33
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
2003-02-18Sync w/HEAD - add DES_CBC_CRC encryption typeJim McDonough1-1/+1
(This used to be commit c7934f5cb56d54a90c9ffdbe2f7429a3c9227abe)
2003-01-30Revert tpot's breakage of the Heimdal fixes.Jeremy Allison1-0/+122
Jeremy. (This used to be commit 90336900ad2a6d50e1d42f7bc59fdc7c762187d3)
2003-01-30Sync of Heimdal kerberos stuff with HEAD. If this breaks I'm blamingTim Potter1-122/+0
the dog again. (This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
2003-01-28Finally we compile with Heimdal as well as MIT ! Wonder if it works... :-).Jeremy Allison1-0/+52
Jeremy. (This used to be commit 1b71786c161cd8ec4c3c0c6b178370ed50feeef4)
2003-01-28Get smbd to link with Heimdal. Still missing some client progs...Jeremy Allison1-0/+22
Jeremy. (This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
2003-01-23Thanks Meeester Potter, for reverting *all* my Heimdal changes becauseJeremy Allison1-0/+48
I mistyped a comma :-). Jeremy. (This used to be commit 04cc149c756c396012cfa321a74724b077302b95)
2003-01-22Merge of kerberos changes to make this branch build again!Tim Potter1-48/+0
(This used to be commit 51b319f57f28e3993919d7f3db0251a724902332)
2003-01-21Get closer to Heimdal compile... Damn. HEAD has different code inJeremy Allison1-0/+48
kerberos_verify... Jeremy. (This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458)
2003-01-21Fixup proto generation to not include krb5 specific symbolsJeremy Allison1-5/+5
if no kerberos selected. Noticed by Metze. Jeremy. (This used to be commit 0c98f779f05431ac4d298c9f021fca85d16aebae)
2003-01-21More fixes getting us closer to full Heimdal compile....Jeremy Allison1-0/+20
Jeremy. (This used to be commit a7ee6ed64500a0d949849da6996b7dc837518f00)
2003-01-20should be HAVE_KRB5_SET_REAL_TIME (HAVE_ was missing)...fix the buildJim McDonough1-1/+1
(This used to be commit 9f1f3cb8bb3d7d9b4fb414b06ad10356f775bb28)
2003-01-19Merge in more of the SuSE patches for Heimdal. These changes show howJeremy Allison1-0/+29
to add a function without an explicit #ifdef HEIMDAL which I'm trying to avoid. Jeremy. (This used to be commit 92ecd0bf0fe2cc4f6c86ca48e6e458e726470a50)
2003-01-04Merge from HEAD - vl's fix to my const patch. Also update the 'not have_krb5'Andrew Bartlett1-1/+1
case. Andrew Bartlett (This used to be commit 8129529c4faec5ea630acf70b7514a3efc0fbdcf)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett1-1/+1
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2002-11-15fix segfaultGerald Carter1-1/+3
(This used to be commit 36bcb312e95f46d196575ed3535679deeddd89b0)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-3/+20
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-2/+2
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-11-28fixed some krb5 ifdefsAndrew Tridgell1-1/+1
(This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe)
2001-11-24added "net join" commandAndrew Tridgell1-0/+7
this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
2001-10-21Ok, I know it's a language thing and it shouldn't matter.... but a kerberosJeremy Allison1-6/+6
name is a "principal", not a principle. English majors will complain :-). Jeremy. (This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524)
2001-10-21Fix for compilation on non-krb5 systemsAndrew Bartlett1-1/+1
(This used to be commit 44bdb8b12b3d6a7bf3148c2ac651a79f10776db6)
2001-10-21made smbclient cope better with arbitrary principle formsAndrew Tridgell1-7/+5
(This used to be commit d1341d74b7aa5f6b3f72e5409b245f87f1ad670b)
2001-10-20better krb5 error handling (thanks andrewb!)Andrew Tridgell1-7/+16
(This used to be commit fd3a3daef3b8f7140e7006d30d23d739ac3aad2f)
2001-10-18the beginnings of kerberos support in smbd. It doesn't work yet, butAndrew Tridgell1-3/+1
it should give something for others to hack on and possibly find what I'm doing wrong. (This used to be commit 353c290f059347265b9be2aa1010c2956da06485)
2001-10-16fix heimdal compilationAndrew Tridgell1-1/+2
(This used to be commit 888183a17cfb12c0cbf7d1ed515064d6f1716114)
2001-10-12added NTLMSSP authentication to libsmb. It seems to work well so I have ↵Andrew Tridgell1-213/+8
enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM (This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757)
2001-10-11improve the error handling in the ASN1 code a bitAndrew Tridgell1-14/+22
(This used to be commit 8b692d8326a1548a7dbbd2cecee9ece6aa60473a)
2001-10-11added a ASN.1 parser, so now I can properly parse the negTokenInitAndrew Tridgell1-59/+120
packet which means I can extract the service and realm, so we should now work with realms other than the local realm. it also means we now check the list of OIDs given by the server just in case it says that it doesn't support kerberos. In that case we should fall back to NTLMSSP but that isn't written yet. (This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291)
2001-10-11fixed some memory leaks, started adding asn1 decoder for server sideAndrew Tridgell1-4/+6
(This used to be commit 919734c1a6fd8b3bd0e12e96d878f47b6d6ff5e0)
2001-10-11initial kerberos/ADS/SPNEGO support in libsmb and smbclient. ToAndrew Tridgell1-0/+267
activate you need to: - install krb5 libraries - run configure - build smbclient - run kinit to get a TGT - run smbclient with the -k option to choose kerberos auth (This used to be commit d33057585644e1337bac743e25ed7653bfb39eef)