summaryrefslogtreecommitdiff
path: root/source3/smbd/sesssetup.c
AgeCommit message (Collapse)AuthorFilesLines
2011-05-27Fix bug #6911 - Kerberos authentication from vista to samba fails when ↵Jeremy Allison1-3/+25
security blob size is greater than 16 kB We were not correctly checking the output of asn1_start_tag(). asn1_start_tag() returns -1 and sets data->has_error if the remaining blob size is too short to contain the tag length. We were checking data->has_error and returning NT_STATUS_OK (to allow the second asn.1 parse to fail in that case). We should not be checking data->has_error in this case, but falling through to the code that already checks the length. Thanks to Jim for reproducing this for me. We don't get bitten by this as we announce a max buffer size of 16k, greater than Windows's 4k, which means that most krb5 spnego packets already fit. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri May 27 02:57:27 CEST 2011 on sn-devel-104
2011-05-05More simple const fixes.Jeremy Allison1-2/+2
2011-04-29s3-tsocket: only include ../lib/tsocket/tsocket.h where needed.Günther Deschner1-0/+1
Guenther
2011-04-14s3: only include smb profiling where needed.Günther Deschner1-0/+1
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Apr 14 01:31:39 CEST 2011 on sn-devel-104
2011-04-05s3-auth use create_local_token() to transform server_info -> session_infoAndrew Bartlett1-39/+25
Before a auth_serversupplied_info struct can be used for authorization, the local groups and privileges must be calculated. create_local_token() now copies the server_info, and then sets the calulated token and unix groups. Soon, it will also transform the result into an expanded struct auth_session_info. Until then, the variable name (server_info vs session_info provides a clue to the developer about what information has been entered in the structure). By moving the calls to create_local_token within the codebase, we remove duplication, and ensure that the session key (where modified) is consistently copied into the new structure. Andrew Bartlett
2011-04-04s3-auth consolidate create_local_token() into make_server_info_krb5()Andrew Bartlett1-19/+1
This ensures that all callers don't need to each add builtin groups and privileges to the user's token Andrew Bartlett
2011-03-30s3: Fix Coverity ID 2304: FORWARD_NULLVolker Lendecke1-3/+1
2011-03-30s3-messages: make ndr_messaging.h part of messages.h.Günther Deschner1-1/+0
Guenther
2011-03-30s3-messages: only include messages.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-auth: smbd needs auth.hGünther Deschner1-0/+1
Guenther
2011-03-30s3: include smbd/smbd.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-16s3-build: only include asn1 headers where actually needed.Günther Deschner1-0/+1
Guenther
2011-02-25Detect Mac OS X as a separate client type.Justin Maggard1-0/+4
2011-02-22s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_infoAndrew Bartlett1-7/+7
These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-10s3-auth Rename cryptic 'ptok' to security_tokenAndrew Bartlett1-2/+2
This will allow the auth_serversupplied_info struct to be migrated to auth_session_info easier. Adnrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-11-10Remove fstring from map_username. Create a more sane interface than the ↵Jeremy Allison1-1/+8
called-parameter-is-modified. Jeremy.
2010-09-26s3: Avoid an explicit ZERO_STRUCTVolker Lendecke1-3/+1
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_fixed()Volker Lendecke1-2/+2
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_subsystem()Volker Lendecke1-1/+1
2010-09-23Fix bug 7694 - Crash bug with invalid SPNEGO token.Jeremy Allison1-1/+2
Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy.
2010-09-16libcli/auth/ntlmssp Be clear about talloc parents for session keysAndrew Bartlett1-0/+1
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-30s3-smbd: use make_server_info_krb5()Simo Sorce1-79/+11
Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-30s3-smbd: Use helper function to resolve kerberos userSimo Sorce1-123/+27
Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-22s3: Pass the rhost through smb_pam_accountcheckVolker Lendecke1-1/+1
2010-08-18s3: Lift smbd_server_fd from reload_services()Volker Lendecke1-5/+5
2010-08-16s3: Remove smbd_server_fd() from setup_new_vc_sessionVolker Lendecke1-6/+12
2010-08-16s3: Remove get_client_fd()Volker Lendecke1-1/+1
2010-08-15s3: Increase debug level for shutdown_other_smbdsVolker Lendecke1-3/+3
2010-08-15s3: Add debugs to shutdown_other_smbdsVolker Lendecke1-0/+6
2010-08-08s3: Lift the smbd_messaging_context from reload_servicesVolker Lendecke1-5/+5
2010-08-06s3-krb5: include krb5pac.h where needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+1
Guenther
2010-07-20Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL ↵Jeremy Allison1-6/+7
contexts. Jeremy.
2010-07-20Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduceJeremy Allison1-9/+12
use of malloc, and data_blob(). Jeremy.
2010-07-20s3-auth: Move auth_ntlmssp wrappers in their own fileSimo Sorce1-0/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-20s3-auth: Refactor and rename auth_ntlmssp_server_info()Simo Sorce1-1/+2
Rename it to auth_ntlmssp_steal_server_info() to make it clear that the server_info struct is stolen from the auth_ntlmssp_state structure. Use talloc_move instead of manual steal&clear Add comments to explain what is going on. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19Remove parse_negTokenTarg(), as it's actually incorrect. We're processingJeremy Allison1-1/+1
negTokenInit's here. Use common code in spnego_parse_negTokenInit(). Jeremy.
2010-07-19s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contextsSimo Sorce1-2/+2
Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-auth: Simplify how we free the auth_contextSimo Sorce1-4/+3
Turn the freeing function into a destructor and attach it to the auth_context. Make all callers TALLOC_FREE() the auth_context instead of calling the free function. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16Make the "map to guest" parameter work correctly with NTLMSSP (spnegoJeremy Allison1-3/+6
and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-14s3:auth Change auth_ntlmssp_server_info API to return NTSTATUSAndrew Bartlett1-1/+1
This fixes a bug where register_existing_vuid() could be called with a NULL server_info if the alloction failed. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-07-14s3:smbd Give the kerberos session key a parentAndrew Bartlett1-0/+2
Nothing will free this, so this prevents a memory leak. Andrew Bartlett Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-07-14s3:smbd Fix segfault if register_existing_vuid() failsAndrew Bartlett1-4/+12
The register_existing_vuid() call will handle both the ntlmssp_end and vuid invalidation internally, so we don't want to do it again. Andrew Bartlett Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-07-05s3: Remove smbd_messaging_context() from shutdown_other_smbds()Volker Lendecke1-12/+19
2010-06-12s3: Remove smbd_server_conn from reply_sesssetup_and_XVolker Lendecke1-1/+1
2010-06-12s3: Fix a typoVolker Lendecke1-1/+1
2010-06-12s3: Remove smbd_server_conn from reply_sesssetup_and_X_spnegoVolker Lendecke1-1/+1
2010-06-12s3: Remove smbd_server_conn from reply_spnego_authVolker Lendecke1-1/+1
2010-06-12s3: Remove smbd_server_conn from reply_spnego_negotiateVolker Lendecke1-1/+1
2010-06-12s3: Remove smbd_server_conn from reply_spnego_ntlmsspVolker Lendecke1-1/+1