summaryrefslogtreecommitdiff
path: root/source3/utils/ntlm_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt1-26/+2
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-03auth: Remove .get_challenge (only used for security=server)Andrew Bartlett1-13/+0
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
2012-06-27s3-param: Rename loadparm_s3_context -> loadparm_s3_helpersAndrew Bartlett1-1/+1
This helps clarify the role of this structure and wrapper function. The purpose here is to provide helper functions to the lib/param loadparm_context that point back at the s3 lp_ functions. This allows a struct loadparm_context to be passed to any point in the code, and always refer to the correct loadparm system. If this has not been set, the variables loaded in the lib/param code will be returned. As requested by Michael Adam. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-04-24s3: Attempt to fix the build without kerberosVolker Lendecke1-0/+3
Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-23Make krb5 wrapper library common so they can be used all overSimo Sorce1-1/+3
2012-04-19s3: Fix a "ISO C90 forbids mixed declarations and code"Volker Lendecke1-3/+7
Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Apr 19 10:32:27 CEST 2012 on sn-devel-104
2012-04-03s3-ntlm_auth: use manage_gensec_request for squid-2.5-ntlmsspAndrew Bartlett1-178/+9
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSPAndrew Bartlett1-2/+3
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-ntlm_auth: add ntlm_auth_generate_session_info_pac()Andrew Bartlett1-0/+144
Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-ntlm_auth Use GENSEC for gss-spnego serverAndrew Bartlett1-404/+390
This imports the gensec handling code from the source4 ntlm_auth, which will eventually be used for all the NTLMSSP and SPNEGO clients and servers but which is only used for gss-spnego for now. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-03-15s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett1-1/+1
We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
2012-03-01s3-ntlm_auth fix up gss-spnego-client so as to work with gss-spnegoAndrew Bartlett1-16/+5
The SPNEGO code changed since this was last tested. Andrew Bartlett
2012-03-01s3-ntlm_auth: Wrap kerberos token in GSSAPIAndrew Bartlett1-2/+6
While windows will accept this ticket without the wrapping, it is nicer to follow the standard and wrap it up in GSSAPI. This should allow the ntlm_auth gss-spnego-client to talk to the ntlm_auth gss-spengo server. Reported by Christof Schmitt <christof.schmitt@us.ibm.com> Andrew Bartlett
2012-03-01s3-ntlm_auth: Add --target-service and --target-hostname optionsAndrew Bartlett1-9/+40
This will allow the gss-spnego-client protocol to work with modern SPNEGO servers that do not send the principal in the mechListMIC. Andrew Bartlett
2012-02-24s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-sideAndrew Bartlett1-99/+327
This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-20s3-ntlm_auth: allow ntlm_auth --diagnostics to pass againAndrew Bartlett1-3/+6
This still requires that the server permit LM passwords, but our s3dc test environment has this enabled. Andrew Bartlett
2012-01-18s3-build: Rework object lists to allow gse gensec moduleAndrew Bartlett1-39/+0
This also allows the spnego_parse_krb5_wrap() function to be shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Move ntlmssp code to auth/ntlmsspAndrew Bartlett1-1/+1
This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-08-03s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the serverAndrew Bartlett1-0/+4
This is changed so that the callers ask for the additional flags that they need, starting with no additional flags. This helps to create a proper abstraction layer in ntlmssp_wrap/auth_ntlmssp. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28s3:ntlm_auth: use lp_load_global()Michael Adam1-1/+1
2011-06-09s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett1-5/+5
There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
2011-05-18s3-lib Replace StrnCaseCmp() with strncasecmp_m()Andrew Bartlett1-1/+1
strncasecmp_m() never needs to call to talloc, and via next_codepoint() still has an ASCII fast-path bypassing iconv() calls. Andrew Bartlett
2011-05-06More const fixes. Remove CONST_DISCARD.Jeremy Allison1-3/+3
2011-04-01s3: Fix Coverity ID 1136: CONSTANT_EXPRESSION_RESULTVolker Lendecke1-1/+1
2011-03-16s3-build: only include asn1 headers where actually needed.Günther Deschner1-0/+1
Guenther
2010-12-07s3:ntlm_auth: support clients which offer a spnego mechs we don't supportStefan Metzmacher1-110/+169
Before we rejected the authentication if we don't support the first spnego mech the client offered. We now negotiate the first mech we support. This fix works arround problems, when a client sends the NEGOEX (1.3.6.1.4.1.311.2.2.30) oid, which we don't support. metze
2010-12-07s3:ntlm_auth: free session key, as we don't use it (at least for now)Stefan Metzmacher1-1/+2
metze
2010-12-07s3:ntlm_auth: fix memory leak in the raw ntlmssp code pathStefan Metzmacher1-0/+2
metze
2010-11-02s3-debug Impove setup_logging() to specify logging to stderrAndrew Bartlett1-1/+1
This change improves the setup_logging() API so that callers which wish to set up logging to stderr can simply ask for it, rather than directly modify the dbf global variable. Andrew Bartlett
2010-09-16s3: Add the PAC info3 struct to the netsamlogon_cache in ntlm_authVolker Lendecke1-0/+4
2010-09-16s3: Correctly unwrap the krb ticket in gss-spnegoVolker Lendecke1-1/+52
2010-09-16s3: Fall back to raw NTLMSSP for the gss-spnego protocolVolker Lendecke1-0/+25
This is to handle the mod_auth_ntlm_winbind protocol sending "Negotiate" to IE, which sends raw NTLMSSP instead of a SPNEGO wrapped NTLMSSP blob.
2010-09-16s3: Split off output generation from manage_squid_ntlmssp_requestVolker Lendecke1-17/+41
2010-09-16s3: Wrap the ntlm_auth loop with a talloc_stackframeVolker Lendecke1-0/+2
2010-09-16libcli/auth/ntlmssp Be clear about talloc parents for session keysAndrew Bartlett1-5/+7
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-15s3: Fix some debug msgs in ntlm_authVolker Lendecke1-8/+8
2010-09-13s3: Remove some unnecessary if-statementsVolker Lendecke1-10/+5
2010-09-13ntlm_auth: Fix a valgrind errorVolker Lendecke1-1/+1
2010-09-13s3: Fix a typoVolker Lendecke1-1/+1
2010-09-13s3: Fix a typo (authentictaion->authentication)Volker Lendecke1-1/+3
2010-08-26s3-build: only include nsswitch header where needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3-popt: Only include popt-common.h when needed.Andreas Schneider1-0/+1
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+1
Guenther
2010-07-20s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keysSimo Sorce1-4/+6
2010-07-19s3-ntlmssp: Remove ntlmssp_end and let the talloc hierarchy handle it.Simo Sorce1-17/+17
All the members are children of ntlmssp_state anyway. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-31ntlmssp: Make the ntlmssp.h from source3/ a common headerAndrew Bartlett1-1/+1
The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-18s3-crypto: only include crypto headers when crypto is done.Günther Deschner1-0/+1
Guenther
2010-05-11s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATAAndrew Bartlett1-2/+2
All the callers just want the PAC_LOGON_INFO, so search for that in ads_verify_ticket(), and don't bother the callers with the rest of the PAC. This change makes sense on it's own (removing boilerplate wrappers that just confuse the code), but it also makes it much easier to implement a matching ads_verify_ticket() function in Samba4 for the s3compat proposal. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-26s3 ntlm_auth: Don't malloc data that will be talloc_free()dKai Blin1-12/+12
This fixes bug #7290 Thanks to Mohan <mohann@silver-peak.com> for the bug report.
2010-03-24s3:ntlmssp: use client.netbios_name instead of workstationStefan Metzmacher1-3/+4
metze Signed-off-by: Günther Deschner <gd@samba.org>