summaryrefslogtreecommitdiff
path: root/source3/libsmb/clispnego.c
AgeCommit message (Collapse)AuthorFilesLines
2010-07-20s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keysSimo Sorce1-5/+6
2010-07-20Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL ↵Jeremy Allison1-17/+19
contexts. Jeremy.
2010-07-20Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL ↵Jeremy Allison1-5/+7
context tallocs. Jeremy.
2010-07-20Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduceJeremy Allison1-6/+5
use of malloc, and data_blob(). Jeremy.
2010-07-20Rename spnego_gen_negTokenTarg() -> spnego_gen_krb5_negTokenInit()Jeremy Allison1-3/+3
as this correctly describes what this function does. Jeremy.
2010-07-20Remove gen_negTokenTarg(), as it's not actually creating a TokenTarg frame, ↵Jeremy Allison1-47/+1
but a TokenInit one. Move to using spnego_gen_negTokenInit() instead. Jeremy
2010-07-20Fixes pointed out by <david.kondrad@legrand.us>. Free memory if not beingJeremy Allison1-38/+37
returned to caller. Remove unneeded asn1_tag_remaining() calls. Jeremy.
2010-07-19Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().Jeremy Allison1-53/+17
We now have one function to do this in all calling code. More rationalization to follow. Jeremy.
2010-07-19Move the addition of the 16 byte guid out of spnego_gen_negTokenInit() andJeremy Allison1-4/+2
into negprot_spnego() where it belongs (it's not an SPNEGO operation). Add a TALLOC_CTX for callers of negprot_spnego(). Closer to unifying all the gen_negTokenXXX calls. Jeremy.
2010-07-19Remove parse_negTokenTarg(), as it's actually incorrect. We're processingJeremy Allison1-74/+24
negTokenInit's here. Use common code in spnego_parse_negTokenInit(). Jeremy.
2010-07-19Fix [Bug 7577] SPNEGO auth fails when contacting Win7 system using Microsoft ↵Jeremy Allison1-7/+54
Live Sign-in Assistant Based on code from <david.kondrad@legrand.us>. Cope with every NegTokenInit ::= SEQUENCE value. Jeremy.
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-11-06s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.Günther Deschner1-1/+1
Guenther
2009-10-15s3-spnego: fix memleak in spnego_parse_auth().Günther Deschner1-1/+5
Guenther
2009-10-15s3-spnego: Fix Bug #6815. Windows 2008 R2 SPNEGO negTokenTarg parsing failure.Günther Deschner1-19/+12
When parsing a SPNEGO session setup retry (falling back from KRB5 to NTLMSSP), we failed to parse the ASN1_ENUMERATED negResult in the negTokenTarg, thus failing spnego_parse_auth() completely. By just using the shared spnego/asn1 code, we get the parsing the correct way. Guenther
2009-09-17spnego: share spnego_parse.Günther Deschner1-7/+8
Guenther
2009-08-11Rename ASN1_BITFIELD to ASN1_BIT_STRING.Kouhei Sutou1-1/+1
X.690 uses "BIT STRING" not "BIT FIELD".
2009-07-16More conversions of NULL -> talloc_autofree_context()Jeremy Allison1-9/+9
so we at least know when we're using a long-lived context. Jeremy.
2008-10-23s3-build: fix some const build warnings.Günther Deschner1-2/+2
Guenther
2008-10-22s3-asn1: make all of s3 asn1 code do a proper asn1_init() first.Günther Deschner1-242/+287
Guenther
2008-10-22s3: use shared asn1 code.Günther Deschner1-17/+17
Guenther
2008-04-07Fix Kerberos interop with Mac OS X 10.5 clients.Bill Ricker1-0/+12
Ignore optional req_flags. Use the Kerberos mechanism OID negotiated with the client rather than hardcoding OID_KERBEROS5_OLD. (This used to be commit 59a2bcf30fef14ecc826271862b645dd3a61cb48)
2008-02-14Allow the mechOID to be written separately.Jeremy Allison1-2/+4
Jeremy. (This used to be commit e3e08c6e7d270e1be7a9d3042b1f36f5a291f90a)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-9/+9
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter1-19/+0
The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
2007-10-10r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter1-0/+19
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>. (This used to be commit 8304ccba7346597425307e260e88647e49081f68)
2007-10-10r25227: Patch from "Steven Danneman" <steven.danneman@isilon.com>:Stefan Metzmacher1-0/+14
- We ran across a bug joining our Samba server to a Win2K domain with LDAP signing turned on. Upon investigation I discovered that there is a bug in Win2K server which returns a duplicated responseToken in the LDAP bindResponse packet. This blob is placed in the optional mechListMIC field which is unsupported in both Win2K and Win2K3. You can see RFC 2478 for the proper packet construction. I've worked with metze on this to confirm all these finding. This patch properly parses then discards the mechListMIC field if it exists in the packet, so we don't produce a malformed packet error, causing LDAP signed joins to fail. Also attached is a sniff of the domain join, exposing Win2Ks bad behavior (packet 21). - (I've just changed the scope of the DATA_BLOB mechList) metze (This used to be commit 200b5bfb8180af09446762e915eac63d14c6c7b0)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-1/+1
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22093: send also the correct OID_KERBEROS5 not only the brokenStefan Metzmacher1-1/+1
OID_KERBEROS_OLD one. metze (This used to be commit 294c69334fce1cbb74ae9eb5a06e17b397f994df)
2007-10-10r22092: - make spnego_parse_auth_response() more generic andStefan Metzmacher1-8/+15
not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-2/+4
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r19041: Make us connect to Vista RC1. Apparently metze had done the same ↵Volker Lendecke1-7/+10
patch some weeks ago. We have some work before us, when in AD mode Vista sends "not_defined_in_RFC4178@please_ignore" as the principal..... Volker (This used to be commit af85d8ec02b36b765ceadf0a342c7eda2410034b)
2007-10-10r19037: Fix a segfaultVolker Lendecke1-1/+1
(This used to be commit 1c18ebe67500a59d4bf08c7e2e2c2af416bfa084)
2007-10-10r16306: Error handling in this asn1 code *sucks*. Fix a genericJeremy Allison1-3/+24
class of memory leak bugs on error found by Klocwork (#123). Many of these functions didn't free allocated memory on error exit. Jeremy. (This used to be commit 8ef11a7c6de74024b7d535d959db2d462662a86f)
2007-10-10r16156: Fix storing NULL in the wrong place. Klocwork id's 127 and 128.Volker Lendecke1-2/+2
Volker (This used to be commit 7674a4f8361d3f3b649245118b82d8a074a2760e)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-1/+1
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12476: Apply some constVolker Lendecke1-1/+1
(This used to be commit a3f102f6c3ada10e74d72944e767b9b263fe83dd)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-1/+1
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-2/+3
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7139: trying to reduce the number of diffs between trunk and 3.0; changing ↵Gerald Carter1-2/+1
version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+2
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r1240: Ensure we don't shadow Heimdal globals.Jeremy Allison1-6/+6
Jeremy. (This used to be commit 464d2e90480c676688a851a141aabddf992e0b0e)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-7/+10
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-13Don't wrap up anything that is not there. Otherwise upper layersVolker Lendecke1-0/+3
can not figure that we got no ticket. Volker (This used to be commit 2a724a7a873c08f14644427766bfd48908ddb501)
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough1-1/+1
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-3/+3
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-1/+1
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)