summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_krb5.c
AgeCommit message (Collapse)AuthorFilesLines
2011-12-29s4-gensec: Rename memory contexts in gensec_krb5 for greater clarityAndrew Bartlett1-16/+16
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett1-61/+18
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-07auth: Allow a NULL principal to be obtained from the credentialsAndrew Bartlett1-1/+4
This is important when trying to let GSSAPI search the keytab. Andrew Bartlett
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett1-5/+8
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: move event-using code to gensec_update() hooks out of gensec_start*()Andrew Bartlett1-8/+22
This ensures that only gensec_update() will require an event context argument when the API is refactored. Andrew Bartlett
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett1-16/+7
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-03gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett1-0/+1
The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett1-0/+1
This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-04-20libcli/auth Move PAC parsing and verification in common.Andrew Bartlett1-2/+2
This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
2011-03-19source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij1-0/+2
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-7/+7
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2010-12-04s4:auth/gensec/gensec_krb5.c - fix/reorder memory free operationsMatthias Dieter Wallnöfer1-3/+15
To prevent memory leaks
2010-12-04s4:auth/gensec/gensec_krb5.c - remove a pointless "nt_status" testMatthias Dieter Wallnöfer1-8/+3
There is no operation which sets the "nt_status" before the "if".
2010-11-15auth/gensec Handle incorrect username or password in Kerberos client codeAndrew Bartlett1-0/+1
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 02:09:40 UTC 2010 on sn-devel-104
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett1-2/+10
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett1-1/+1
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-1/+0
2010-05-14s4:gensec expose gensec_set_target_principal for use outside GENSECAndrew Bartlett1-1/+1
This allows for the rare case where the caller knows the target principal. The check for lp_client_use_spnego_principal() is moved to the spengo code to make this work. Andrew Bartlett
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett1-1/+8
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett1-1/+1
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-03-26libutil: moved the networking defines to util_net.hAndrew Tridgell1-0/+1
These were causing thousands of warnings on solaris8
2010-03-08s4-gensec: Fixed wrong usage of error_string.Andreas Schneider1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-02-26s4-krb5: propogate errors from a lot more kerberos functionsAndrew Tridgell1-5/+7
We need to be able to give sensible error messages when a kerberos calls fails. This propogates the kerberos error up the stack to the caller. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2009-12-16s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.Andreas Schneider1-7/+15
2009-12-16s4-gensec: Replace gensec_get_my_addr with new tsocket based fn.Andreas Schneider1-6/+17
2009-10-20s4: ran minimal_includes.pl on source4/auth/gensecAndrew Tridgell1-5/+0
2009-07-16s4:gensec Rework gensec_krb5 mutual authentication defaultsAndrew Bartlett1-24/+28
When emulating Samba3 (which we do to ensure we don't break compatability), don't do mutual authentication by default, as it breaks the session key with AES and isn't what Samba3 does anyway. Andrew Bartlett
2009-07-16s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'Andrew Bartlett1-5/+15
This allows the older 'like Samba3' GENSEC krb5 implementation to work against Windows 2008. I'm using this to track down interop issues in this area. Andrew Bartlett
2009-06-18s4:gensec Print GSSAPI error message when unable to find PACAndrew Bartlett1-1/+3
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett1-2/+17
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-2/+0
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-01-21s4:auth: move make_server_info_netlogon_validation() function arroundStefan Metzmacher1-1/+1
metze
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-8/+8
should in the future only contain some settings required for gensec.
2008-09-23gensec_krb5: only give away the session key, when the authentication is doneStefan Metzmacher1-0/+4
metze
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-2/+2
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-04-17Remove event context tracking from the credentials struct.Jelmer Vernooij1-3/+9
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-0/+2
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-02-21Avoid use of global_loadparm.Jelmer Vernooij1-1/+3
(This used to be commit c5a95bbe0ce55c29e135a9c6058bf192ec3bb546)
2008-02-20Make more module init functions public, since they are compiled with ↵Jelmer Vernooij1-1/+1
-fvisibility=hidden. Not doing this causes failures on Mac OS X. (This used to be commit da1a9438bd89569077ef1eaa9dc977b5f9d62836)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-2/+2
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26379: Remove more global_loadparm instances.Jelmer Vernooij1-1/+1
(This used to be commit b6f66eb5e00ed01029fa81f408d6154ab01e74e7)
2007-12-21r26264: pass name resolve order explicitly, use torture context for settings ↵Jelmer Vernooij1-1/+1
in dssync tests. (This used to be commit c7eae1c7842f9ff8b70cce9e5d6f3ebbbe78e83b)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-7/+7
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r26258: Use loadparm context in client_start function of gensec.Jelmer Vernooij1-3/+3
(This used to be commit bad1891cae2c688b17a6a2b932e754f51291035c)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-1/+1
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26236: Remove more uses of global_loadparm or specify loadparm_context ↵Jelmer Vernooij1-1/+1
explicitly. (This used to be commit 5b29ef7c03d9ae76b0ca909e9f03a58e1bad3521)
2007-12-21r26231: Spell check: credentails -> credentials.Jelmer Vernooij1-1/+1
(This used to be commit 4b46888bd0195ab12190f76868719fc018baafd6)
2007-12-21r26222: Avoid global_loadparm in a couple more places.Jelmer Vernooij1-1/+1
(This used to be commit 5bd053a570ec0a783b4dcd943698263925f819f9)
2007-10-10r25552: Convert to standard bool type.Jelmer Vernooij1-12/+12
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-10r25430: Add the loadparm context to all parametric options.Jelmer Vernooij1-1/+1
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)