summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett2-16/+32
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-11credentials: Split up into several subsystems.Jelmer Vernooij1-3/+3
2010-10-10gensec: Support building without any linked-in modules.Jelmer Vernooij1-0/+4
2010-10-05Add missing dependencies for com_err.Jelmer Vernooij1-0/+1
2010-10-05heimdal: Fix library name of gssapi.Jelmer Vernooij1-1/+1
2010-10-02s4-gensec Always honour the set server principalAndrew Bartlett1-1/+1
The spengo code won't set this unless it is allowed to by this same option, but other callers may need it. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 02:27:39 UTC 2010 on sn-devel-104
2010-09-28s4:gensec_tstream: remove plain socket handlingStefan Metzmacher1-124/+12
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 04:54:24 UTC 2010 on sn-devel-104
2010-09-28s4:gensec: add gensec_create_tstream()Stefan Metzmacher3-1/+764
Based on the initial patch from Andreas Schneider <asn@redhat.com>. metze
2010-09-26s4-gensec: fixed a valgrind error in gensecAndrew Tridgell1-12/+2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-26s4:schannel: handle move flag combinations in the serverStefan Metzmacher1-13/+23
This fixes some testsuites in the CIFS plugfest. metze
2010-09-23s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiationAndrew Tridgell1-7/+10
this is the client side equivalent change for the previous fix Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: prevent a double free in the error path of GSSAPI authAndrew Tridgell1-1/+0
the caller frees mem_ctx, so we shouldn't Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: fixed a GSSAPI SASL negotiation bugAndrew Tridgell1-11/+14
Fixed a bug that affected mismatched negotiation between the GSSAPI layer and the SASL SSF subsequent negotiation. This caused some ldap clients to hang when trying to authentication with a Samba LDAP server. The client thought the connection should be signed, the server thought it should be in plain text Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-22s4-param: Fix more memory leaks, invalid memory context.Jelmer Vernooij1-1/+1
2010-09-22s4-param: Check type when converting python object to lp_ctx, fix someJelmer Vernooij1-0/+18
memory leaks.
2010-09-22pygensec: Implement start_mech_by_name().Jelmer Vernooij2-8/+30
2010-09-21s4-selftest: Move more tests to scripting/python, simplifies running of tests.Jelmer Vernooij1-39/+0
2010-09-14s4: Fix two typosVolker Lendecke1-2/+2
2010-09-11s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a headerAndrew Bartlett1-0/+2
2010-08-09s4-build: use @PACKAGE_VERSION@ in s4 pc.in filesAndrew Tridgell1-1/+1
this gets replaced by vnum from the build rule
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell5-12/+12
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24s4:auth/gensec/gensec_gssapi.c - reorder constructorMatthias Dieter Wallnöfer1-30/+38
To have the same order as in the structure definition.
2010-06-24s4-python: python is not always in /usr/binAndrew Tridgell1-1/+1
Using "#!/usr/bin/env python" is more portable. It still isn't ideal though, as we should really use the python path found at configure time. We do that in many places already, but some don't. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-19python: Use samba.tests.TestCase, make sure base class tearDown andJelmer Vernooij1-4/+4
setUp methods are called, fix formatting.
2010-06-15ldb: Only build standard ldb modules when building bundled ldb.Jelmer Vernooij1-1/+1
2010-06-13s4-test: Use smb.conf path set in environment rather than usingJelmer Vernooij1-2/+2
command-line options. This is the first step towards supporting custom test runners.
2010-05-21s4:auth Remove un-needed headers.Andrew Bartlett1-1/+0
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett1-1/+7
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett2-1/+2
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij5-12/+3
2010-05-14s4:gensec expose gensec_set_target_principal for use outside GENSECAndrew Bartlett4-3/+8
This allows for the rare case where the caller knows the target principal. The check for lp_client_use_spnego_principal() is moved to the spengo code to make this work. Andrew Bartlett
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett2-1/+12
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-27s4:gensec Use a different form of 'name' in GSSAPI import_name()Andrew Bartlett1-3/+3
The idea here is to make it not dependent on the system's default realm. Andrew Bartlett
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett4-4/+24
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-11s4:auth Remove event context from anonymous_session()Andrew Bartlett1-1/+1
This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-08pynet: Create a net class.Jelmer Vernooij1-1/+1
2010-04-06s4-waf: mark the wscript files as python so vim/emacs knows how to highlight ↵Andrew Tridgell1-0/+2
them
2010-04-06s4-waf: enable the pc_files in the build rulesAndrew Tridgell1-1/+1
2010-04-06build: fixed the build without sasl librariesAndrew Tridgell1-1/+2
We need to only enable the cyrus_sasl module if we have sasl/sasl.h
2010-04-06build: waf quicktest nearly worksAndrew Tridgell1-5/+1
Rewrote wafsamba using a new dependency handling system, and started adding the waf test code
2010-04-06build: commit all the waf build files in the treeAndrew Tridgell1-0/+63
2010-04-05Revert "s4:gensec_gssapi.c - make sure that "GSS_C_DELEG_POLICY_FLAG" is ↵Matthias Dieter Wallnöfer1-5/+0
available" This reverts commit 3e091a82167f51b7d9abf00755bede9354932c6b. This should be fixed through the new build system when it lands in "master".
2010-03-30s4:gensec_gssapi.c - make sure that "GSS_C_DELEG_POLICY_FLAG" is availableMatthias Dieter Wallnöfer1-0/+5
FreeBSD 7.2 needs this.
2010-03-29pytalloc: allow for using a system libtalloc-dev with pytallocAndrew Tridgell1-1/+1
When we have a system talloc library, we still need to grab pytalloc.h from lib/talloc. We don't want to just use -Ilib/talloc, as otherwise we'll get the in-tree talloc.h which may not be compatible with the system talloc.h So we need to give the path to pytalloc.h
2010-03-26libutil: moved the networking defines to util_net.hAndrew Tridgell2-0/+2
These were causing thousands of warnings on solaris8
2010-03-08s4-gensec: Fixed wrong usage of error_string.Andreas Schneider1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-02-26s4:python Add bindings to set GENSEC flags on credentials in pythonAndrew Bartlett1-0/+9
This should allow these to be manipulated by python scripts that need encrypted connections. Andrew Bartlett
2010-02-26s4-krb5: propogate errors from a lot more kerberos functionsAndrew Tridgell2-9/+15
We need to be able to give sensible error messages when a kerberos calls fails. This propogates the kerberos error up the stack to the caller. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-23s4:cleanup remove unused schannel ldb codeSimo Sorce1-67/+0
2010-02-23s4:schannel merge code with s3Simo Sorce2-22/+5
After looking at the s4 side of the (s)channel :) I found out that it makes more sense to simply make it use the tdb based code than redo the same changes done to s3 to simplify the interface. Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet that does not solve the lookup speed, with ldb it is always going to be slower. Looking through the history it is evident that the schannel database doesn't really need greate expanadability. And lookups are always done with a single Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated. The schannel database is not really a persistent one. It can be discared during an upgrade without causing any real issue. all it contains is temproary session data.