summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r22294: Lock the delegated credentials to being kerberos only, we just don'tAndrew Bartlett1-0/+6
have the data for anything else. Andrew Bartlett (This used to be commit 9e0c0cd0ff678388436430bb1ba4eb7595cbefbd)
2007-10-10r22293: Try to make it more clear what failed to parse.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 144ab7294d76397a5e6662d344105a0d59c9f423)
2007-10-10r22208: Print the target principal name, to help with kdc unreachable errors.Andrew Bartlett1-7/+4
Andrew Bartlett (This used to be commit bbde5b6a2f85f22110d6840857eaceb6b923c1b4)
2007-10-10r22199: fix typoStefan Metzmacher1-2/+2
metze (This used to be commit 4e8f844be939a6e11a3bece4e7e66534fce00cc0)
2007-10-10r20258: add functions to read and write asn1 encoded OID strings without ↵Stefan Metzmacher1-5/+5
leading tag metze (This used to be commit 576d4c54cca844164b90e5d6ec71fe44b59607b7)
2007-10-10r20135: attach default gensec features to the cli_credentials structure,Stefan Metzmacher1-0/+2
so make it possible to force encryption or signing. metze (This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa)
2007-10-10r20108: match w2k3 and send 1.2.840.48018.1.2.2 before 1.2.840.113554.1.2.2Stefan Metzmacher1-1/+1
to work better against w2k, so we don't get redirected from 1.2.840.113554.1.2.2 to 1.2.840.48018.1.2.2 by a w2k server, causing 2 additional auth roundtrips. metze (This used to be commit fa5c942ee99d3b5779598aa75f71d0317ba3f622)
2007-10-10r20107: don't segfault when the server didn't send a supportedMech in a ↵Stefan Metzmacher1-0/+1
negTokenTarg this happens because we send 1.2.840.113554.1.2.2 before 1.2.840.48018.1.2.2 in the negTokenInit. And w2k's spnego code redirects us to use 1.2.840.48018.1.2.2 and then we start the our spnego engine with 1.2.840.48018.1.2.2 and in the then following negTokenTarg w2k don't send the supportedMech (which means it aggrees in what we've choosen) metze (This used to be commit 5af5488593991ab4a2a8e17d38501ad9ec539020)
2007-10-10r20034: Start using ldb_search_exp_fmt()Simo Sorce1-11/+3
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-2/+2
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19676: Fix some more dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 8768bec81f57131a0c9754e8121b345c0be4a5d0)
2007-10-10r19660: Forgot to tell gsskrb5 not to canonicalize hostnames. Shoudl fixAndrew Bartlett1-0/+8
valrind issues on fort, because we won't hit NSS any more. Andrew Bartlett (This used to be commit 6f67fa01ab4f946c9a9aae0d4e8d028153873e04)
2007-10-10r19650: Allow Samba to use Heimdal's SPNEGO code. Currently this can onlyAndrew Bartlett1-9/+49
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend by some means or other. Andrew Bartlett (This used to be commit 476452e143f61a3878a3646864729daaddccdf68)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett1-0/+18
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19635: It appears that under CFX, different keys are used in each directionAndrew Bartlett1-3/+3
(or something like that). In any case, we need to stick with the initiator subkey for now, until we figure out what Vista uses for the CIFS session key. Andrew Bartlett (This used to be commit b91a921e1393581ca0102ad1f49a1075acb91b4e)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett2-31/+44
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19629: No need to special case use of DCE_STYLE sign and seal away any more...Andrew Bartlett1-9/+0
Andrew Bartlett (This used to be commit 247b9f1ca907cf921087e6840400ddf68289b8f2)
2007-10-10r19628: This hint via Love at the IETF meeting:Andrew Bartlett1-0/+3
Larry told me that most context flags needed to be set to, otherwise it wouldn't work. This fixes DCE_STYLE against Win2k3 SP1. It seems they just tightened up their end of the GSSAPI code, as DCE_STYLE is explicity rejected in the session setup too (being the wrong layer). Andrew Bartlett (This used to be commit b2b77f34a4d0cebb828cac7bf9a73826fecab5b6)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett2-91/+134
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett12-14/+28
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19597: Ahead of the merge to current lorikeet-heimdal:Andrew Bartlett1-59/+67
Supply the correct OID to the error display functions. Rework the session key functions. Andrew Bartlett (This used to be commit 363628c13f4e4a8904802dcf4d80e296ed2f9e02)
2007-10-10r19595: Seperate debug messages between database failure and simple lack ofAndrew Bartlett1-2/+9
records. Andrew Bartlett (This used to be commit 163f75372792b0afa72f48d64d78d82b72d8eda5)
2007-10-10r19566: Predeclare some useful structures.Andrew Bartlett1-0/+3
(This used to be commit 160a59f0733a90db157ad48747c7fb72c2912829)
2007-10-10r19507: Merge my DSO fixes branch. Building Samba's libraries as shared ↵Jelmer Vernooij2-3/+3
libraries works again now, by specifying --enable-dso to configure. (This used to be commit 7a01235067a4800b07b8919a6a475954bfb0b04c)
2007-10-10r19489: Change ldb_msg_add_value and ldb_msg_add_empty to take a foruth ↵Simo Sorce1-4/+4
argument. This is a pointer to an element pointer. If it is not null it will be filled with the pointer of the manipulated element. Will avoid double searches on the elements list in some cases. (This used to be commit 0fa5d4bc225b83e9f63ac6d75bffc4c08eb6b620)
2007-10-10r19465: Rather than use the non-standard API for determining the signatureAndrew Bartlett1-55/+8
length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
2007-10-10r19339: Merge my 4.0-unittest branch. This adds an API for more fine-grainedJelmer Vernooij1-1/+1
output in the testsuite rather than just True or False for a set of tests. The aim is to use this for: * known failure lists (run all tests and detect tests that started working or started failing). This would allow us to get rid of the RPC-SAMBA3-* tests * nicer torture output * simplification of the testsuite system * compatibility with other unit testing systems * easier usage of smbtorture (being able to run one test and automatically set up the environment for that) This is still a work-in-progress; expect more updates over the next couple of days. (This used to be commit 0eb6097305776325c75081356309115f445a7218)
2007-10-10r19299: Fix possible memleaksSimo Sorce1-3/+21
(This used to be commit 6fad80bb09113a60689061a2de67711c9924708b)
2007-10-10r19265: It is not an error to set the target hostname to NULL.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit c9c2e90e2e3937d05c58c681af187413b12d9220)
2007-10-10r18354: It seems safe to enable the DIGEST-MD5 module now.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8357f8be45ef93bd1b648350c951bbe3b1bb5682)
2007-10-10r18321: fixed some warnings on AIXAndrew Tridgell1-1/+1
(This used to be commit 449fab2c264aa50601f9a2d3310f1910ba97706b)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell2-3/+3
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r18295: pass write type for packet_sizeAndrew Tridgell1-1/+1
this fixes a crash on IA_64 systems (This used to be commit 22c39027621fb65663122b4959b171d328b549d4)
2007-10-10r18257: Order the GENSEC modules, with unknown modules last.Andrew Bartlett7-17/+19
Andrew Bartlett (This used to be commit 8ae880b5019ab275fe0eca48120ab9e0fcca6293)
2007-10-10r18255: Remove the SMB_ASSERT(), as these are not talloc()'ed structures.Andrew Bartlett1-3/+0
Andrew Bartlett (This used to be commit 73fba185eba6b059d34790c95a30d49b296759f5)
2007-10-10r18253: Turn Cyrus-SASL DIGEST-MD5 off by default for now.Andrew Bartlett2-1/+10
Andrew Bartlett (This used to be commit 2da948cb6ecc75e2b4b97c770c8ba13b7f831d6e)
2007-10-10r18250: Add an ordering of GENSEC modules, so we do preferred modules first.Andrew Bartlett5-4/+20
Andrew Bartlett (This used to be commit 0afb4d1992b3c93557dec1e1cdca467efc299853)
2007-10-10r18249: Keep trying to start an GENSEC mech from the list until one actuallyAndrew Bartlett1-2/+8
starts. Andrew Bartlett (This used to be commit 7dba525f5598199e89badbf15e0f5f09023c6cfa)
2007-10-10r18242: The cyrus-sasl encode/decode routines process the entire input.Andrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 32d8a23d5499ef3d913240b5693b54eb2e78cd7d)
2007-10-10r18198: Fix callbacks to use allocated or constant memory, not the stack.Andrew Bartlett1-16/+22
These values are used by SASL at a later time, and must remain valid. Make the password callback actually return the password. Andrew Bartlett (This used to be commit 8e12f92bbe3aa878292169f4699502e241ef6c0b)
2007-10-10r18155: Add my work in progress, a module to link with Cyrus-SASL, for aAndrew Bartlett3-2/+425
DIGEST-MD5 implemenation in particular. However, I can't make this work: Cyrus-SASL isn't loading the mech... Andrew Bartlett (This used to be commit 0b193d28c896c9d212a536da7d87634543d971a5)
2007-10-10r18068: This splits the handling of multiple SASL packets between the GENSECAndrew Bartlett5-61/+239
backend (if it chooses to implement it), or the GENSEC socket code. This is to allow us to handle DIGEST-MD5 across to cyrus-sasl. Andrew Bartlett (This used to be commit 0a098006b431f4aa48632a27ca08e9adca8d9609)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-5/+5
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r17344: move the gensec_update_request structure into the header fileStefan Metzmacher2-12/+12
and add a private_data for the backends. metze (This used to be commit 015a65e00187e684b3e4d1f4ca07edb9f022f61b)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher2-6/+32
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r17332: May as well make this a round numberAndrew Bartlett1-1/+1
(This used to be commit a2d614147663c4f9b80d6e383819e92ca45e013b)
2007-10-10r17272: move the callback stuff into a substructureStefan Metzmacher1-8/+10
metze (This used to be commit c49e27d5d0289e3525f7f6197b031e7d300df81b)
2007-10-10r17267: - add an async interface for gensec_update() to the public gensec apiStefan Metzmacher2-0/+78
- note this is still uses the sync update() hook of the gensec modules but it allows me to fix the callers first Later auth_check_password() will also get an async version, so that we can later implement an async version of auth_winbind using async IRPC to the winbind task. metze (This used to be commit d5638a4fafd1d60ccc4cd76e92a1b2b0093865a7)
2007-10-10r17223: In some protocols it is not possible to negoitate off some features,Andrew Bartlett1-5/+3
without the agreement of the peer. This can cause problems, because one side things sealing is disabled, while the other thinks it is enabled. Andrew Bartlett (This used to be commit 68ddc4921f43252b3fba73e9d85cc38c359d599d)