summaryrefslogtreecommitdiff
path: root/source4/auth/credentials/credentials.h
AgeCommit message (Collapse)AuthorFilesLines
2010-09-24s4-kerberos Move 'set key into keytab' code out of credentials.Andrew Bartlett1-3/+1
This code never really belonged in the credentials layer, and is easier done with direct access to the ldb_message that is in secrets.ldb. Andrew Bartlett
2010-09-16s4-credentials: added ability to control forwardable attribute on krb5 ticketsAndrew Tridgell1-0/+12
with the latest bind9 nsupdate, we need to be able to control if the ticket we use is forwardable Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-05-18s4:credentials Add in tracking of the password last set timeAndrew Bartlett1-0/+4
We perhaps need a more general API here, but for now extend the credentials API to return the password last changed time that the s3compat layer will need. Andrew Bartlett
2010-04-10s4:credentials Add the functions needed to do S4U2Self with cli_credentialsAndrew Bartlett1-0/+7
A torture test to demonstrate will be added soon. Andrew Bartlett
2010-04-10s4:credentials talloc_free() any previous salt_principalAndrew Bartlett1-1/+1
This isn't used often, but it is generally better not to leak it onto what may be a longer-term context. Andrew Bartlett
2010-02-26s4-krb5: propogate errors from a lot more kerberos functionsAndrew Tridgell1-4/+7
We need to be able to give sensible error messages when a kerberos calls fails. This propogates the kerberos error up the stack to the caller. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-20s4:credentials Add hooks to extract a named Kerberos credentials cacheAndrew Bartlett1-1/+7
This allows the integration of external tools that can't be linked into C or python, but need to authenticate as the local machine account. The machineaccountccache script demonstrates this, and debugging has been improved in cli_credentials_set_secrets() by passing back and error string. Andrew Bartlett
2009-04-14Rework Samba4 to use the new common libcli/auth codeAndrew Bartlett1-3/+3
In particular, this is the rename from creds_ to netlogon_creds_, as well as other links to use the new common crypto. Andrew Bartlett
2009-01-25Add prototypes required by samba-gtk.Jelmer Vernooij1-0/+9
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-11/+11
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-10-11Move lib/util from source4 to top-level libutil.Jelmer Vernooij1-1/+1
Conflicts: source4/Makefile
2008-05-05Allow an NTLM response to be specified into the auth subsystem.Andrew Bartlett1-0/+9
This allows it to be proxied for NTLM pass-though authentication (aka security=server and associated man-in-the-middle attacks). Andrew Bartlett (This used to be commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee)
2008-04-17Remove event context tracking from the credentials struct.Jelmer Vernooij1-5/+11
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-1/+112
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-03-17Don't require users of credentials.h to have krb5.h and gssapi.hAndrew Bartlett1-1/+4
Rather than require users of Samba4's headers to have krb5-devel installed (presumably in their system paths), don't expose the minor functions which require this by default. Andrew Bartlett (This used to be commit f14737e4d2040d2f401a3b20c5e78d0d793cfc3a)
2007-12-21r26484: Don't rely on removed header.Jelmer Vernooij1-0/+1
(This used to be commit 6ca2b350858c0747449671234d54584635512705)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-1/+1
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-0/+1
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25193: Update headers to easy use by external apps.Jelmer Vernooij1-0/+1
(This used to be commit 20b70fbb7af6b6759c3b8c8aa56e10944b32bfdf)
2007-10-10r24712: No longer expose the 'BOOL' data type in any interfaces.Jelmer Vernooij1-3/+3
(This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r23063: Make sure to invalidate the ccache when we set aAndrew Bartlett1-0/+7
username/password/realm/etc from the command line. Also make sure it can't 'come back' from a later call to cli_credentials_guess(), buy setting a threshold. This should fix the issues with the build farm... Andrew Bartlett (This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1)
2007-10-10r22969: fix some more places where we could end up with more than one eventAndrew Tridgell1-0/+3
context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17)
2007-10-10r21736: Fix the smbclient test to do something more interesting with the lastAndrew Bartlett1-1/+1
few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa)
2007-10-10r21142: fix compiler warningsStefan Metzmacher1-0/+1
metze (This used to be commit 1f8a037ac4f592d29f7d66e1f924efe1c5d8c2b0)
2007-10-10r20135: attach default gensec features to the cli_credentials structure,Stefan Metzmacher1-0/+3
so make it possible to force encryption or signing. metze (This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa)
2007-10-10r15422: Fix issues with functions being called recursively in the credentialsJelmer Vernooij1-0/+3
callback code. (This used to be commit edf0701e877592695bd69124e528338c27f24efd)
2007-10-10r15414: Support retrying different username/password combinationsJelmer Vernooij1-1/+5
(This used to be commit 5de894fb8bac8efa5bff004dbfc2e8b386d4003b)
2007-10-10r14484: Install more headersJelmer Vernooij1-0/+2
(This used to be commit 430c6516d383bfd7f27287394bf8eef9f174b3e6)
2007-10-10r14363: Remove credentials.h from the global includes.Jelmer Vernooij1-0/+4
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
2007-10-10r13206: This patch finally re-adds a -k option that works reasonably.Andrew Bartlett1-5/+9
From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+2
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12310: Link simple bind support in our internal LDAP libs to LDB and theAndrew Bartlett1-0/+2
command line processing system. This is a little ugly at the moment, but works. What I cannot manage to get to work is the extraction and propogation of command line credentials into the js interface to ldb. Andrew Bartlett (This used to be commit f34ede763e7f80507d06224d114cf6b5ac7c8f7d)
2007-10-10r12065: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit c60bac5baa572a597ce6e1c2e3639be4c7daeefc)
2007-10-10r12060: Work towards allowing the credentials system to allow/deny certainAndrew Bartlett1-0/+3
GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett (This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-2/+4
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-0/+2
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett1-0/+3
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-0/+1
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-0/+5
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10982: Move credentials.h into auth/credentials, and add flags needed byAndrew Bartlett1-0/+81
previous patch. Andrew Bartlett (This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)