summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett2-6/+6
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r8774: make some gensec errors a bit less verboseAndrew Tridgell2-3/+3
(This used to be commit 2134ca475586ed9e062fbf4ef7222fe286c60c57)
2007-10-10r8644: This is a more useful error than unsuccesful.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit d7136c93fb7ddf27d914329a7c9fd77de22d4356)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell2-2/+4
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8321: Fix some uninitalized variable warningsVolker Lendecke1-1/+1
(This used to be commit 126cb3db4b0cf9c382ba7496ba08311f3b669f00)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett2-4/+20
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8016: Get the keyblock arguments correct. (the context struct changed, butAndrew Bartlett1-2/+2
I forgot to update the users) Andrew Bartlett (This used to be commit 44b86b7e6570e31ab07ce12593fb8834325c52c8)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett2-5/+5
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7986: Fix the compile, thanks to HotaruT.Andrew Bartlett1-1/+1
This won't actually work until I get the keyblock filled in again, but at least it will compile. I first need to decide if we want to keep the server-side gensec_krb5 code at all, now we have the GSSAPI layer doing what we want. Andrew Bartlett (This used to be commit 28e49de9293002ee89f0666144c9028daefdde88)
2007-10-10r7978: A start again on PAC verification. I have noticed that the kerberosAndrew Bartlett1-2/+8
keys appear at the end of the PAC, which I feel is deliberate (it makes this much easier). I still can't make it work, but I'm sure we are closer. Andrew Bartlett (This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
2007-10-10r7968: Pull the PAC from within GSSAPI, rather than only when using our ownAndrew Bartlett2-201/+63
'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
2007-10-10r7965: Remove the GENSEC password callback structure members, as these are noAndrew Bartlett2-5/+0
longer used. Andrew Bartlett (This used to be commit 14be7d95694dd7557af67dc94ee83a983d2f05f6)
2007-10-10r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the rightAndrew Bartlett1-31/+25
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett4-14/+98
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell2-11/+27
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7352: the internal heimdal build change. This changes quite a few things:Andrew Tridgell2-4/+3
- if you want kerberos now, you need to unpack a lorikeet heimdal tree in source/heimdal/. If source/heimdal/ does not exist at configure time then all kerberos features are disabled. You cannot use an external kerberos library for now. That may change later. - moved lib/replace/ config stuff to lib/replace/ and create a lib/replace/replace.h. That allows the heimdal build to use our portability layer, and prevenets duplicate definitions of functions like strlcat() - if you do enable heimdal, then you will need to do 'make HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once I explain the problem to jelmer (the problem is the inability to set a depend without also dragging in the object list of the dependency. We need this for building the heimdal asn1 compiler and et compiler. - disabled all of the m4 checks for external kerberos libraries. I left them in place in auth/kerberos/, but disabled it in configure.in some of the heimdal_build/ code is still very rough, for example I don't correctly detect the correct awk, flex, bison replacements for heimdal_build/build_external.sh. I expect to fix that stuff up over the next few days. (This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett2-72/+35
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7240: Don't call our fancy error message routines on a null context.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 35877387c8e345d30d7598d1a139067a26cc1f7f)
2007-10-10r7218: Don't use an uninitialised variable in an error message.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 1f68cf7d0eb5de18da7f9d14c729caf314740601)
2007-10-10r6882: Put in configure tests and #ifdef to keep Samba building on older ↵Andrew Bartlett1-0/+2
Heimdal. Andrew Bartlett (This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
2007-10-10r6838: Remove unnecessary calls to gensec_gsskrb5Jelmer Vernooij1-4/+0
Make the build system give a proper warning about this in the future (This used to be commit 2d980465af87d25ce17b8340c6b5f662ef29edd3)
2007-10-10r6810: Rename auth/{ntlmssp,gensec,kerberos} mk and m4 files to be calledTim Potter2-0/+4
config.mk and config.m4 to be consistent with the rest of Samba. (This used to be commit f377c71e4f0d60684326906dfb65e4581294ec34)
2007-10-10r6805: Remove two remaining references to gensec_gsskrb5Jelmer Vernooij1-4/+0
(This used to be commit a02e07739781eb00b521d050ab06d6b0aedf47bc)
2007-10-10r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. ThisAndrew Bartlett2-31/+10
should allow us to ditch the local static storage for OIDs, as well as fix the build on non-heimdal platforms. Andrew Bartlett (This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett5-330/+420
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6796: Remove the gensec_gsskrb5 module, which had had all of it's specialAndrew Bartlett2-594/+0
features merged back into gensec_gssapi. (Removed because I've made some API changes, and it isn't worth 'fixing' the rudundent code to cope with changes) Andrew Bartlett (This used to be commit e8cf3d58ec956e41fc8d3e38363db3d5d838fe1d)
2007-10-10r6792: Allow a mech to fail on the first pass at the packet, and still fallAndrew Bartlett1-0/+2
back to the other options. Andrew Bartlett (This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
2007-10-10r6767: Fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45a0692be10a03032f9a4e26da3de08696c03464)
2007-10-10r6740: make gensec_gssapi.c compile againAndrew Tridgell1-1/+1
(This used to be commit 6d15e9511115cc30ee213ec91320a2dccde15b8f)
2007-10-10r6737: Explain these error returns a bit better.Andrew Bartlett1-2/+5
Andrew Bartlett (This used to be commit 77d054c65aeecfc0d1156d750f7b8025cb154d3a)
2007-10-10r6733: GSS_C_DCE_STYLE is not available for most buildsStefan Metzmacher1-0/+5
metze (This used to be commit 3536029e8fb1da1ca689e0b7aa1f3edfb7967790)
2007-10-10r6730: register gensec_krb5 also with the drcrpc auth typeStefan Metzmacher1-0/+1
metze (This used to be commit 491d7804f5f5bdfb43ae09b81c2cbc34fab2246d)
2007-10-10r6729: Fix silly copy-paste bug spotted by metze.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 400899995b2c2ed54a114f8f55e5fb36592298b9)
2007-10-10r6728: Microsoft relies very strongly on getting the OIDs it expects, so weAndrew Bartlett1-1/+31
must register the 'MS' OID for the domain join to progress. Andrew Bartlett (This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
2007-10-10r6727: One more step down the long march to the 'Kerberos domain join'.Andrew Bartlett2-8/+347
This patch allows a suitably patched Heimdal GSSAPI library (detected in configure) to supply to us the session keys, and further compleats the gensec_gssapi module. This is tested for CIFS, but fails for LDAP at this point (that is what I'll work on next). We currently fill out the 'session info' from the SAM, like gensec_krb5 does, but both will need to use the PAC extraction functions in the near future. Andrew Bartlett (This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
2007-10-10r6705: let the gensec module decide if messages can be signed and sealed in ↵Stefan Metzmacher1-0/+1
a different order than a strict request - reply sequence Note: we should also fix the client code... metze (This used to be commit 0a61d1f65150546f7a7582512ca010d156f963bf)
2007-10-10r6704: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit 9d86314c44ae8e1ec21653b21cc267bfac573445)
2007-10-10r6700: Upper case realms in kerberos-specific parts of the code, as this isAndrew Bartlett1-1/+6
no longer done globally. This keeps MIT client libraries happy, because otherwise the windows KDC will return a different case to what was requested. Andrew Bartlett (This used to be commit 9098b9321f938473c367f906cfe2f001ca1d8e6a)
2007-10-10r6620: the type 23 schannel bind uses a workstation name, not an account nameAndrew Tridgell1-3/+6
(This used to be commit 250f1f69dd719a7981ec4c1698942b31826888d2)
2007-10-10r6610: Fix a const warning in the gensec spnego implementation. (A make protoTim Potter2-2/+2
is required after updating to this version). (This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
2007-10-10r6458: Split up NTLMSSP into a new directory, and into seperate files for theAndrew Bartlett5-2710/+1
client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2007-10-10r6455: Remove wrapper functions, and ntlmssp_end (which is well handed by ↵Andrew Bartlett1-41/+5
talloc() now). Andrew Bartlett (This used to be commit fc3e3653ebc3accf94f9264d2bbfe1cb71b017d0)
2007-10-10r6454: Start to migrate NTLMSSP away from it's own API to just use GENSEC.Andrew Bartlett9-569/+492
The aim here is to remove the extra layer of abstraction, and to then use the credentials code directly in the NTLMSSP layer. Andrew Bartlett (This used to be commit b14c530dfd3e56975dea7e30aa8d62d4f2827700)
2007-10-10r6453: Move verbose errors for the schannel 'not in the DB, or DB corrupt' ↵Andrew Bartlett1-2/+4
error cases. Andrew Bartlett (This used to be commit 24f98f32aae3b8c45283715b27fa67b1d2e5c0f2)
2007-10-10r6340: - added an easy to use function to initialise a temporary ldb with ↵Andrew Tridgell1-0/+11
some ldif - init the schannel.ldb with some CASE_INSENSITIVE attributes (This used to be commit e6376b24303dc513e15c7e640c8c1c8d8ca11091)
2007-10-10r6322: Fix compile warning for struct sockaddr.Tim Potter1-0/+1
(This used to be commit 9c45f8d7bc21a4426091ea03f9f0681d7dad3edd)
2007-10-10r6128: fix the buildStefan Metzmacher1-2/+2
metze (This used to be commit 80593150341852af0816e69bd653c93228862e9b)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett19-0/+7512
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)