| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
(This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
Samba to use the target principal name supplied in the mechTokenMIC of
an SPNEGO negTokenInit.
This isn't a great idea for security reasons, but is how Samba3 behaves,
and allows kerberos to function more often in some environments. It is
only available for CIFS session setups, due to the ordering of the
exchange.
Andrew Bartlett
(This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
|
|
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
|
|
into Samba3.
The NTLMSSP sign/seal code now assumes that GENSEC has already checked
to see if SIGN or SEAL should be permitted. This simplfies the code
ensures that no matter what the mech, the correct code paths have been
set in place.
Also remove duplication caused by the NTLMv2 code's history, and
document why some of the things a bit funny.
In SPNEGO, create a new routine to handle the negTokenInit creation.
We no longer send an OID for a mech we can't start (like kerberos on
the server without a valid trust account).
Andrew Bartlett
(This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
|
|
(This used to be commit 2134ca475586ed9e062fbf4ef7222fe286c60c57)
|
|
longer used.
Andrew Bartlett
(This used to be commit 14be7d95694dd7557af67dc94ee83a983d2f05f6)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
|
|
is required after updating to this version).
(This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
|
|
The aim here is to remove the extra layer of abstraction, and to then
use the credentials code directly in the NTLMSSP layer.
Andrew Bartlett
(This used to be commit b14c530dfd3e56975dea7e30aa8d62d4f2827700)
|
|
auth/gensec and auth/kerberos.
This also pulls the kerberos configure code out of libads (which is
otherwise dead), and into auth/kerberos/kerberos.m4
Andrew Bartlett
(This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
|
