| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If we create a copy of the credential state we miss updates to the
credentials.
To establish a netlogon schannel connection we create client credentials
and authenticate with them using
dcerpc_netr_ServerAuthenticate2()
For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.
After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.
After that we continue and need the client credentials to call
dcerpc_netr_LogonGetCapabilities()
to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.
The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.
dcerpc_netr_SamLogonWithFlags.
We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
|
|
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
|
|
Thanks to Wolfgang Sourdeau for reporting this.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
Make it clearly a gensec_krb5 accessory file.
This function should never be used anywhere else.
This function was copied out from the Heimdal tree and is kept in a separate
file for clarity and to keep the original license boilerplate.
|
|
lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
The remaining gssapi_parse functions were used exclusively in
gensec_krb5. Move them there and make them static.
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This is clearly a utiliy function generic to gensec. Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
metze
|
|
the client
This is really a copy for the lifetime of the rpc connection.
metze
|
|
|
|
gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.
Andrew Bartlett
|
|
metze
|
|
metze
|
|
This makes the dependencies easier to handle.
metze
|
|
This removes the dependency to s4 specific code.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
This make it clearer what type of flags these are.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
To do this some defines need to move to common_auth.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
metze
|
|
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.
Thankyou Simo for the suggestion.
Andrew Bartlett
|
|
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.
Thankyou Simo for the suggestion.
Andrew Bartlett
|
|
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.
Thankyou Simo for the suggestion.
Andrew Bartlett
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
|
|
This makes the dependencies simpler, as this code path is no longer
required. (That is, it makes no sense to have an NTLM login without
an auth context, and the gensec_gssapi and gensec_krb5 modules call
the PAC blob function below instead).
Andrew Bartlett
|
|
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.
Andrew Bartlett
|
|
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
|
|
|
|
This may allow Luke Howard's moonshot to work with a little less effort
at some point in the future.
Andrew Bartlett
|
|
This is important when trying to let GSSAPI search the keytab.
Andrew Bartlett
|
|
Windows-Members of NT4/Samba3 domains, send
MechTypes:
1.3.6.1.4.1.311.2.2.10 [NTLMSSP]
1.2.840.48018.1.2.2 [krb5 broken]
1.2.840.113554.1.2.2 [krb5]
MechToken for NTLMSSP.
This patch makes sure we start NTLMSSP with the given MechToken,
instead of trying to pass the NTLMSSP MechToken to the krb5 backend
first. As that would fail the authentication with an error
instead of trying fallbacks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
|
|
This avoids keeping the event context around on a the gensec_security
context structure long term.
In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This ensures that only gensec_update() will require an event context argument
when the API is refactored.
Andrew Bartlett
|
|
This will allow us to pass this down to the tdb_wrap layer.
Andrew Bartlett
|
|
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/
Andrew Bartlett
|
|
This will allow gensec_start.c to move to the top level. This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.
Andrew Bartlett
|
|
This creates a samba-modules private libary that handles the details.
Andrew Bartlett
|
|
Reviewed-by: Jelmer
|
