summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/schannel.c
AgeCommit message (Collapse)AuthorFilesLines
2012-07-17s4-auth: Make sure we use the correct credential state.Andreas Schneider1-1/+6
If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
2012-03-02s4:auth/gensec/schannel: initialize struct schannel_state to zeroStefan Metzmacher1-2/+1
metze
2012-03-02s4:auth/gensec/schannel: make a copy of netlogon_creds_CredentialState in ↵Stefan Metzmacher1-1/+8
the client This is really a copy for the lifetime of the rpc connection. metze
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett1-1/+2
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-13libcli/auth: Provide a struct loadparm_context to schannel callsAndrew Bartlett1-1/+1
This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett
2011-10-11auth: move gensec_start.c to the top levelAndrew Bartlett1-0/+1
This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett
2011-09-19s4:auth - remove unused variablesMatthias Dieter Wallnöfer1-1/+0
Reviewed-by: Jelmer
2011-08-03s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett1-0/+1
This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett1-3/+5
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-03gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett1-4/+2
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-03-19source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij1-0/+2
2011-01-03s4:gensec/schannel: use netsec_outgoing_sig_size() to get the signature sizeStefan Metzmacher1-1/+6
metze
2010-09-26s4:schannel: handle move flag combinations in the serverStefan Metzmacher1-13/+23
This fixes some testsuites in the CIFS plugfest. metze
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-3/+3
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-8/+3
2010-04-11s4:auth Remove event context from anonymous_session()Andrew Bartlett1-1/+1
This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-02-23s4:schannel merge code with s3Simo Sorce1-11/+4
After looking at the s4 side of the (s)channel :) I found out that it makes more sense to simply make it use the tdb based code than redo the same changes done to s3 to simplify the interface. Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet that does not solve the lookup speed, with ldb it is always going to be slower. Looking through the history it is evident that the schannel database doesn't really need greate expanadability. And lookups are always done with a single Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated. The schannel database is not really a persistent one. It can be discared during an upgrade without causing any real issue. all it contains is temproary session data.
2009-10-24s4:gensec/schannel: remove unused talloc_reference() in schannel_update()Stefan Metzmacher1-1/+1
We never expose creds to the caller in schannel_update(). metze
2009-10-23s4-ldbwrap: added re-use of ldb contexts in ldb_wrap_connect()Andrew Tridgell1-1/+1
This allows us to reuse a ldb context if it is open twice, instead of going through the expensive process of a full ldb open. We can reuse it if all of the parameters are the same. The change relies on callers using talloc_unlink() or free of a parent to close a ldb context.
2009-10-20s4: ran minimal_includes.pl on source4/auth/gensecAndrew Tridgell1-1/+0
2009-09-25s4:auth/gensec/schannel - fix a const warningMatthias Dieter Wallnöfer1-1/+2
2009-09-25s4:schannel: fix some compiler warningsStefan Metzmacher1-2/+4
If we only do signing we can pass down a const data buffer. metze
2009-09-16libcli/auth: rewrite schannel sign/seal code to be more genericStefan Metzmacher1-33/+56
This prepares support for HMAC-SHA256/AES. metze
2009-09-16schannel: move schannel_sign to main directory.Günther Deschner1-1/+2
Guenther
2009-09-16s4-schannel: first step of decoupling schannel from gensec.Günther Deschner1-4/+47
Guenther
2009-09-13s4-schannel: use NL_AUTH_MESSAGE for schannel.Günther Deschner1-23/+35
Guenther
2009-09-13s4-schannel: strip trailing whitespace.Günther Deschner1-26/+26
Guenther
2009-08-27s4-schannel: add ldb suffix to schannel functions.Günther Deschner1-2/+2
Guenther
2009-04-14Rework to use new API for common netlogon credential chainingAndrew Bartlett1-1/+1
2009-04-14Rework Samba4 to use the new common libcli/auth codeAndrew Bartlett1-9/+20
In particular, this is the rename from creds_ to netlogon_creds_, as well as other links to use the new common crypto. Andrew Bartlett
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-5/+5
should in the future only contain some settings required for gensec.
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-2/+3
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-0/+2
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-02-20Make more module init functions public, since they are compiled with ↵Jelmer Vernooij1-1/+1
-fvisibility=hidden. Not doing this causes failures on Mac OS X. (This used to be commit da1a9438bd89569077ef1eaa9dc977b5f9d62836)
2008-01-01r26639: librpc: Pass iconv convenience on from RPC connection to NDR ↵Jelmer Vernooij1-2/+4
library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
2008-01-01r26638: libndr: Require explicitly specifying iconv_convenience for ↵Jelmer Vernooij1-2/+4
ndr_struct_push_blob(). (This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-4/+3
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r26258: Use loadparm context in client_start function of gensec.Jelmer Vernooij1-1/+2
(This used to be commit bad1891cae2c688b17a6a2b932e754f51291035c)
2007-12-21r26250: Avoid global_loadparm in a couple more places.Jelmer Vernooij1-1/+1
(This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
2007-12-21r26234: More global_loadparm fixes.Jelmer Vernooij1-1/+2
(This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-9/+13
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-10-10r25552: Convert to standard bool type.Jelmer Vernooij1-8/+8
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-10r25000: Fix some more C++ compatibility warnings.Jelmer Vernooij1-3/+3
(This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-10-10r24504: Try to return more useful error information on why a bind failed.Andrew Bartlett1-0/+5
Note that the correct return for a failed alter_context is a fault, not a bind_nak. Andrew Bartlett (This used to be commit 52cce94532edf1dd7f26e39bf3377f0077ea6792)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+2
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r18257: Order the GENSEC modules, with unknown modules last.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8ae880b5019ab275fe0eca48120ab9e0fcca6293)
2007-10-10r18250: Add an ordering of GENSEC modules, so we do preferred modules first.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 0afb4d1992b3c93557dec1e1cdca467efc299853)
2007-10-10r14542: Remove librpc, libndr and libnbt from includes.hJelmer Vernooij1-0/+1
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10r14071: fix the buildStefan Metzmacher1-1/+2
metze (This used to be commit af63ed9eb3a5af3e4eeb84c66397255ea90ea764)