Age | Commit message (Collapse) | Author | Files | Lines |
|
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
|
|
This allows for the rare case where the caller knows the target
principal. The check for lp_client_use_spnego_principal() is moved to
the spengo code to make this work.
Andrew Bartlett
|
|
This means that we consider the ccache only as reliable as the least
specified of the inputs we used.
This means that we will regenerate the ccache if any of the inputs change.
Andrew Bartlett
|
|
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.
However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.
In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'. This allows us to
use the auth_context in processing the authentication reply .
Andrew Bartlett
|
|
These were causing thousands of warnings on solaris8
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
We need to be able to give sensible error messages when a kerberos
calls fails. This propogates the kerberos error up the stack to the
caller.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
|
|
When emulating Samba3 (which we do to ensure we don't break
compatability), don't do mutual authentication by default, as it
breaks the session key with AES and isn't what Samba3 does anyway.
Andrew Bartlett
|
|
This allows the older 'like Samba3' GENSEC krb5 implementation to work
against Windows 2008. I'm using this to track down interop issues in
this area.
Andrew Bartlett
|
|
|
|
This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)
Andrew Bartlett
|
|
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
|
|
metze
|
|
should in the future only contain some settings required for gensec.
|
|
metze
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
|
|
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
|
|
(This used to be commit c5a95bbe0ce55c29e135a9c6058bf192ec3bb546)
|
|
-fvisibility=hidden. Not doing this causes failures on Mac OS X.
(This used to be commit da1a9438bd89569077ef1eaa9dc977b5f9d62836)
|
|
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
|
|
(This used to be commit b6f66eb5e00ed01029fa81f408d6154ab01e74e7)
|
|
in dssync tests.
(This used to be commit c7eae1c7842f9ff8b70cce9e5d6f3ebbbe78e83b)
|
|
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
|
|
(This used to be commit bad1891cae2c688b17a6a2b932e754f51291035c)
|
|
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
|
|
explicitly.
(This used to be commit 5b29ef7c03d9ae76b0ca909e9f03a58e1bad3521)
|
|
(This used to be commit 4b46888bd0195ab12190f76868719fc018baafd6)
|
|
(This used to be commit 5bd053a570ec0a783b4dcd943698263925f819f9)
|
|
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
|
|
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
number in more places.
(This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
|
|
(This used to be commit 5085c53fcfade614e83d21fc2c1a5bc43bb2a729)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
(This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
|
|
(This used to be commit 925abf74fa1ed5ae726bae8781ec549302786b39)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
incorrect.
Andrew Bartlett
(This used to be commit 9dc6f36e43170bc5bf4f94d893b5a3689460d237)
|
|
favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c
Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
|
|
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
Andrew Bartlett
(This used to be commit 8ae880b5019ab275fe0eca48120ab9e0fcca6293)
|
|
Andrew Bartlett
(This used to be commit 0afb4d1992b3c93557dec1e1cdca467efc299853)
|
|
client.
Andrew Bartlett
(This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
|