Age | Commit message (Collapse) | Author | Files | Lines |
|
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
|
|
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info. This will allow the
calling logic to be put in common.
Andrew Bartlett
|
|
To do this some defines need to move to common_auth.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.
Thankyou Simo for the suggestion.
Andrew Bartlett
|
|
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
|
|
|
|
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
|
|
This avoid symbol and structure conflicts between Samba3 and Samba4,
and chooses a less generic name.
Andrew Bartlett
|
|
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
|
|
Guenther
|
|
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.
Andrew Bartlett
|
|
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
|
|
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.
Andrew Bartlett
|
|
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
|
|
This will allow for some more tokenGroups tests in future.
Andrew Bartlett
|
|
We now just do or do not call into LDB based on some flags.
This means there may be some more link time dependencies, but we seem
to deal with those better now.
Andrew Bartlett
|
|
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.
Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov 5 06:32:43 UTC 2010 on sn-devel-104
|
|
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
|
|
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.
However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.
In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'. This allows us to
use the auth_context in processing the authentication reply .
Andrew Bartlett
|
|
This is needed by the "tokenGroups" work in the operational LDB module.
|
|
The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above.
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
|
|
|
|
metze
|
|
metze
|
|
metze
|
|
It is just easier to fill in the known to be 8 byte challenge than
stuff about with allocated pointers.
Andrew Bartlett
|
|
|
|
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
|
|
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case. Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.
Andrew Bartlett
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)
Andrew Bartlett
|
|
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
metze
|
|
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
|
|
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
|
|
up the call stack.
(This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166)
|
|
(This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972)
|
|
auth but making it usable independently will be the next step.
(This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
|