summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_gssapi.c
AgeCommit message (Collapse)AuthorFilesLines
2013-08-10auth/gensec: introduce gensec_internal.hStefan Metzmacher1-0/+1
We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-16gensec: Make the no-hostname status message much less scaryAndrew Bartlett1-1/+1
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-02-12Fix some cut-and-paste and spelling in debug messagesGuenter Kukkukk1-8/+8
Signed-off-by: Guenter Kukkukk <kukks@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104
2012-05-23gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider1-2/+4
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23gensec_gssapi: Make it possible to build with MIT krb5Simo Sorce1-10/+20
We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
2012-05-17s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" optionStefan Metzmacher1-1/+6
metze
2012-05-17s4:auth/gensec: implement gensec_gssapi_expire_time()Stefan Metzmacher1-0/+13
metze
2012-05-17s4:auth/gensec_gssapi: add missing 'break' statementsStefan Metzmacher1-0/+2
metze
2012-05-17s4:auth/gensec_gssapi: remember the expire timeStefan Metzmacher1-2/+8
metze
2012-04-25lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy1-3/+1
lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-23For now just disable this Heindal specific stuff in the MIT buildSimo Sorce1-0/+4
2012-04-12auth-krb: Move pac related util functions in a single place.Simo Sorce1-0/+1
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Nove oid packet check to gensec_util.Simo Sorce1-22/+2
This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12gensec_gssapi: keep private header file close to the actual codeSimo Sorce1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-02-17auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett1-33/+22
gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
2012-01-20s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAGStefan Metzmacher1-0/+1
metze
2012-01-11gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett1-26/+26
This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-29s4-gensec: Rename memory contexts in gensec_gssapi for greater clarityAndrew Bartlett1-16/+16
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett1-82/+34
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-28s4-gensec: Allow a PAC to be obtained from any GSS mechAndrew Bartlett1-7/+0
This may allow Luke Howard's moonshot to work with a little less effort at some point in the future. Andrew Bartlett
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett1-7/+9
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: move event-using code to gensec_update() hooks out of gensec_start*()Andrew Bartlett1-30/+54
This ensures that only gensec_update() will require an event context argument when the API is refactored. Andrew Bartlett
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett1-14/+6
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-03gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett1-6/+9
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett1-0/+1
The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-08s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handlerAndrew Bartlett1-0/+59
This allows us to print much more debugging in this critical situation. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
2011-05-18s4:gensec_gssapi: avoid delegation if s4u2self/proxy is usedStefan Metzmacher1-0/+4
metze
2011-04-27s4-gensec: Use new common 'obtain the PAC' functions.Andrew Bartlett1-15/+4
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
2011-04-27libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/authAndrew Bartlett1-38/+0
This will allow the GSSAPI PAC fetch code to use it. Andrew Bartlett
2011-03-19source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij1-0/+2
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell1-1/+1
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-9/+30
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-01-19s4-gensec Remove special case 'for SASL' that is not required any more.Andrew Bartlett1-13/+0
I've examined the code paths involved, and it appears an alternative fix has been made in the ldap_server/ldap_bind.c code, and there is no code path that uses this behaviour. Andrew Bartlett
2010-11-29s4:auth/gensec/gensec_gssapi.c - always print error messages on the same ↵Matthias Dieter Wallnöfer1-2/+2
talloc context
2010-11-17s4-gensec: zero the gssapi_stateAndrew Tridgell1-1/+1
this fixes a use of the target_principal before initialisation Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-15s4-gensec Indicate if GENSEC is in client or server mode in the debugAndrew Bartlett1-2/+4
2010-11-15auth/gensec Handle incorrect username or password in Kerberos client codeAndrew Bartlett1-0/+2
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 02:09:40 UTC 2010 on sn-devel-104
2010-11-08s4-auth Supply more useful error messages on Kerberos failureAndrew Bartlett1-13/+24
The practice of returning only NT_STATUS_INVALID_PARAMETER hasn't helped our users to debug problems effectivly, and so we now return more errors and try and give a more useful debug message when then happen. Andrew Bartlett
2010-11-08s4-auth Fix typos in samba4 auth codeBrad Hards1-7/+7
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett1-14/+22
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-02s4-gensec Always honour the set server principalAndrew Bartlett1-1/+1
The spengo code won't set this unless it is allowed to by this same option, but other callers may need it. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 02:27:39 UTC 2010 on sn-devel-104
2010-09-23s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiationAndrew Tridgell1-7/+10
this is the client side equivalent change for the previous fix Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: fixed a GSSAPI SASL negotiation bugAndrew Tridgell1-11/+14
Fixed a bug that affected mismatched negotiation between the GSSAPI layer and the SASL SSF subsequent negotiation. This caused some ldap clients to hang when trying to authentication with a Samba LDAP server. The client thought the connection should be signed, the server thought it should be in plain text Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-22s4-param: Fix more memory leaks, invalid memory context.Jelmer Vernooij1-1/+1
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-4/+4
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24s4:auth/gensec/gensec_gssapi.c - reorder constructorMatthias Dieter Wallnöfer1-30/+38
To have the same order as in the structure definition.
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett1-0/+1
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-1/+0
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett1-0/+4
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-27s4:gensec Use a different form of 'name' in GSSAPI import_name()Andrew Bartlett1-3/+3
The idea here is to make it not dependent on the system's default realm. Andrew Bartlett