summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_gssapi.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r19660: Forgot to tell gsskrb5 not to canonicalize hostnames. Shoudl fixAndrew Bartlett1-0/+8
valrind issues on fort, because we won't hit NSS any more. Andrew Bartlett (This used to be commit 6f67fa01ab4f946c9a9aae0d4e8d028153873e04)
2007-10-10r19650: Allow Samba to use Heimdal's SPNEGO code. Currently this can onlyAndrew Bartlett1-9/+49
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend by some means or other. Andrew Bartlett (This used to be commit 476452e143f61a3878a3646864729daaddccdf68)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett1-0/+18
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19635: It appears that under CFX, different keys are used in each directionAndrew Bartlett1-3/+3
(or something like that). In any case, we need to stick with the initiator subkey for now, until we figure out what Vista uses for the CIFS session key. Andrew Bartlett (This used to be commit b91a921e1393581ca0102ad1f49a1075acb91b4e)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett1-3/+3
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19629: No need to special case use of DCE_STYLE sign and seal away any more...Andrew Bartlett1-9/+0
Andrew Bartlett (This used to be commit 247b9f1ca907cf921087e6840400ddf68289b8f2)
2007-10-10r19628: This hint via Love at the IETF meeting:Andrew Bartlett1-0/+3
Larry told me that most context flags needed to be set to, otherwise it wouldn't work. This fixes DCE_STYLE against Win2k3 SP1. It seems they just tightened up their end of the GSSAPI code, as DCE_STYLE is explicity rejected in the session setup too (being the wrong layer). Andrew Bartlett (This used to be commit b2b77f34a4d0cebb828cac7bf9a73826fecab5b6)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-44/+83
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19597: Ahead of the merge to current lorikeet-heimdal:Andrew Bartlett1-59/+67
Supply the correct OID to the error display functions. Rework the session key functions. Andrew Bartlett (This used to be commit 363628c13f4e4a8904802dcf4d80e296ed2f9e02)
2007-10-10r19465: Rather than use the non-standard API for determining the signatureAndrew Bartlett1-55/+8
length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell1-2/+2
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r18257: Order the GENSEC modules, with unknown modules last.Andrew Bartlett1-2/+4
Andrew Bartlett (This used to be commit 8ae880b5019ab275fe0eca48120ab9e0fcca6293)
2007-10-10r17332: May as well make this a round numberAndrew Bartlett1-1/+1
(This used to be commit a2d614147663c4f9b80d6e383819e92ca45e013b)
2007-10-10r17173: Check for oversize output, not oversize input, and fix the GSSAPI mechAndrew Bartlett1-10/+11
to work (it broke it in the previous commit). Andrew Bartlett (This used to be commit e96638bc74f0752ce8af6626a04c92d48b917ffe)
2007-10-10r17171: Add a gensec function to determine the maximum negotiated buffer size,Andrew Bartlett1-34/+114
and the maximum amount of user data that may be fitted into that. This is used in the new SASL code, to correctly honour SASL buffer sizes. Andrew Bartlett (This used to be commit cbbe99d9c1f0262e67a495fb098cacc09fd78e05)
2007-10-10r15853: started the process of removing the warnings now thatAndrew Tridgell1-2/+1
talloc_set_destructor() is type safe. The end result will be lots less use of void*, and less calls to talloc_get_type() (This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
2007-10-10r15426: Implement SPNEGO as the default RPC authentication mechanism. WhereAndrew Bartlett1-0/+9
this isn't supported, fallback to NTLM. Also, where we get a failure as 'logon failure', try and do a '3 tries' for the password, like we already do for CIFS. (Incomplete: needs a mapping between RPC errors and the logon failure NTSTATUS). Because we don't yet support Kerberos sign/seal to win2k3 SP1 for DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos isn't demanded. Andrew Bartlett (This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij1-1/+1
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r14700: Fix spelling, and change these informational messages to debug level 5.Andrew Bartlett1-6/+6
Andrew Bartlett (This used to be commit 8f96f524bfde99667410ec98087831b9c14c66e5)
2007-10-10r14542: Remove librpc, libndr and libnbt from includes.hJelmer Vernooij1-0/+1
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-1/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14383: Fix non-developer build.Jelmer Vernooij1-1/+1
(This used to be commit f4de155c94b89e586640d11992953a0d5fc0716d)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-0/+1
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+1
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.Andrew Bartlett1-7/+8
We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
2007-10-10r13344: Trust SASL to have subtle distinctions between NULL and zero-lengthAndrew Bartlett1-10/+24
responses... Also trust OpenLDAP to be pedantic about it, breaking connections to AD. In any case, we now get this 'right' (by nasty overloading hacks, but hey), and we can now use system-supplied OpenLDAP libs and SASL/GSSAPI to talk to Samba4. Andrew Bartlett (This used to be commit 0cbe18211a95f811b51865bc0e8729e9a302ad25)
2007-10-10r13342: Make the GSSAPI SASL mech actually work, by (shock horror) reading ↵Andrew Bartlett1-70/+406
the spec. GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating a buffer size and what integrity protection/privacy should be used. I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3. I'm doing this in the hope that Apple clients as well as SASL-based LDAP tools may get a bit further. I still can't get ldapsearch to work, it fails with the ever-helpful 'Local error'. Andrew Bartlett (This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
2007-10-10r13250: I missed a couple of talloc_free()'sAndrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 3570a62876dcd656b328bf8c2c1be617ae9a8fd7)
2007-10-10r13247: Try to make better use of talloc in the auth/ and auth/gensec code.Andrew Bartlett1-6/+13
We don't want temporary memory hanging around on the long-term contexts. Andrew Bartlett (This used to be commit 85b3f6ebddfb655fdd08d1799752e562a6ff9cb1)
2007-10-10r13206: This patch finally re-adds a -k option that works reasonably.Andrew Bartlett1-2/+3
From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
2007-10-10r12863: As lha suggested to me a while back, it appears that theAndrew Bartlett1-8/+7
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-54/+7
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11967: Fix more 64-bit warnings.Tim Potter1-4/+4
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-1/+1
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11521: Add in client support for checking supportedSASLmechanisms, and thenAndrew Bartlett1-0/+1
determining a mechanism to use. Currently it doesn't to fallbacks like SPNEGO does, but this could be added (to GENSEC, not to here). This also adds a new function to GENSEC, which returns a list of SASL names in our preference order (currently determined by the build system of all things...). Also make the similar function used for OIDs in SPNEGO do the same. This is all a very long-winded way of moving from a hard-coded NTLM to GSS-SPNEGO in our SASL client... Andrew Bartlett (This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
2007-10-10r11514: Fixup debug messageAndrew Bartlett1-1/+1
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
2007-10-10r11470: To a server trusted for delegation (checked for in the gss libs),Andrew Bartlett1-1/+1
delegate by default. Andrew Bartlett (This used to be commit 49d489c81d5b5c86e032ed6edfda4590d1d1f2be)
2007-10-10r11468: Merge a bit more of init_sec_context from Heimdal CVS into ourAndrew Bartlett1-1/+8
DCE_STYLE modified version, and add parametric options to control delegation. It turns out the only remaining issue is sending delegated credentials to a windows server, probably due to the bug lha mentions in his blog (using the wrong key). If I turn delgation on in smbclient, but off in smbd, I can proxy a cifs session. I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix myself :-) Andrew Bartlett (This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-49/+52
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11394: Allow KDC unreachable as another 'forget about gssapi' error on SPNEGO.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
2007-10-10r11342: Remove unused variables.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett1-7/+2
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11278: fix compiler warningsStefan Metzmacher1-14/+22
metze (This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett1-35/+6
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett1-4/+13
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-28/+27
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10565: Try to make Kerberos authentication a bit more friendly.Andrew Bartlett1-8/+30
This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
2007-10-10r10464: Use more consistant names.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 1f726906c488355733dc1a3a89c53e194c192e68)
2007-10-10r10364: Turn gensec:gssapi on by default, except for a login of the formAndrew Bartlett1-23/+23
-Udomain\\user. This will probably break in a few configurations, so please let me know. I'll also work to have a way to inhibit kerberos/ntlmssp, as this removes -k. Andrew Bartlett (This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)