summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r12863: As lha suggested to me a while back, it appears that theAndrew Bartlett1-8/+7
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett3-61/+21
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12682: This patch finally fixes our kpasswdd implementation to be compatibleAndrew Bartlett3-8/+146
with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2007-10-10r12670: Make a couple of dependencies stricterJelmer Vernooij1-1/+1
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force specific modules to always be included (This used to be commit f9eede3d40098eddc3618ee48f9253cdddb94a6f)
2007-10-10r12628: Prevent double registration warningsJelmer Vernooij1-1/+1
(This used to be commit 98ec52beeed47c71861c284c7aae66269c074e66)
2007-10-10r12621: INIT_FUNCTION no longer has to be set on librariesJelmer Vernooij1-1/+0
(This used to be commit 7ff1ecdc6fa9e360dedf9737da6ce1941ad5033e)
2007-10-10r12620: Get rid of automatically generated lists of init functions of ↵Jelmer Vernooij1-0/+5
subsystems. This allows Samba libraries to be used by other projects (and parts of Samba to be built as shared libraries). (This used to be commit 44f0aba715bfedc7e1ee3d07e9a101a91dbd84b3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij3-5/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12592: Remove some useless dependenciesJelmer Vernooij1-2/+2
(This used to be commit ca8db1a0cd77682ac2c6dc4718f5d753a4fcc4db)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij3-1/+3
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12499: Move smb_build.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit c92ace494f92084ddf178626cdf392d151043bc7)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-10/+8
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12494: Support loading modules from .so files for most subsystems.Jelmer Vernooij1-0/+8
We now use a different system for initializing the modules for a subsystem. Most subsystems now have an init function that looks something like this: init_module_fn static_init[] = STATIC_AUTH_MODULES; init_module_fn *shared_init = load_samba_modules(NULL, "auth"); run_init_functions(static_init); run_init_functions(shared_init); talloc_free(shared_init); I hope to eliminate the other init functions later on (the init_programname_subsystems; defines). (This used to be commit b6d2ad4ce0a91c4be790dd258820c492ff1787ea)
2007-10-10r12439: No need to keep walking this list if we find the match.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit cf1883c3cc1feecf3ddd7f36dbbca3bdf068bee2)
2007-10-10r12436: Fix Samba4 as a server to Win2000 for the domain join.Andrew Bartlett1-46/+74
We still have Win2000 issues, but now we correctly handle the case where NTLMSSP is chosen as an authentication mech, but the OID list still contains Kerberos as a later option. Andrew Bartlett (This used to be commit dc2b2c33f89b84bd221c9009750a22ff42fc462d)
2007-10-10r12268: Use transactions to ensure that the schannel db is consistant.Andrew Bartlett1-0/+17
Andrew Bartlett (This used to be commit 949137e3122a3163a9fc923a418633a791364afe)
2007-10-10r12254: Add some (hopefully correct) descriptions for libraries that are ↵Jelmer Vernooij1-0/+1
installed. Install pkg-config files. (This used to be commit a86abe84e2cae7c6188c094a92c6b62aace02fdf)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-1/+2
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r12179: Allow our KDC to use LDAP to get to the backend database.Andrew Bartlett1-2/+5
To avoid a circular depenency, it is not allowed to use Krb5 as an authentication mechanism, so this must be removed from the list. An extension to the credentials system allows this function. Also remove proto.h use for any of the KDC, and use NTSTATUS returns in more places. Andrew Bartlett (This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
2007-10-10r12060: Work towards allowing the credentials system to allow/deny certainAndrew Bartlett2-62/+97
GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett (This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-54/+7
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11991: Null termainte the list of backends. (Makes it easier to walk the ↵Andrew Bartlett1-2/+2
list). Andrew Bartlett (This used to be commit fc4202dea88a72de061cb2e1caa7847fae37018f)
2007-10-10r11967: Fix more 64-bit warnings.Tim Potter1-4/+4
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-10/+11
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett2-2/+2
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11521: Add in client support for checking supportedSASLmechanisms, and thenAndrew Bartlett3-5/+74
determining a mechanism to use. Currently it doesn't to fallbacks like SPNEGO does, but this could be added (to GENSEC, not to here). This also adds a new function to GENSEC, which returns a list of SASL names in our preference order (currently determined by the build system of all things...). Also make the similar function used for OIDs in SPNEGO do the same. This is all a very long-winded way of moving from a hard-coded NTLM to GSS-SPNEGO in our SASL client... Andrew Bartlett (This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
2007-10-10r11514: Fixup debug messageAndrew Bartlett1-1/+1
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
2007-10-10r11470: To a server trusted for delegation (checked for in the gss libs),Andrew Bartlett1-1/+1
delegate by default. Andrew Bartlett (This used to be commit 49d489c81d5b5c86e032ed6edfda4590d1d1f2be)
2007-10-10r11468: Merge a bit more of init_sec_context from Heimdal CVS into ourAndrew Bartlett1-1/+8
DCE_STYLE modified version, and add parametric options to control delegation. It turns out the only remaining issue is sending delegated credentials to a windows server, probably due to the bug lha mentions in his blog (using the wrong key). If I turn delgation on in smbclient, but off in smbd, I can proxy a cifs session. I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix myself :-) Andrew Bartlett (This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-49/+52
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11400: fix compiler warningsStefan Metzmacher1-1/+1
metze (This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
2007-10-10r11399: Add another case where we need to fallback, if the KDC isn't there.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
2007-10-10r11394: Allow KDC unreachable as another 'forget about gssapi' error on SPNEGO.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
2007-10-10r11382: Require number of required M4 macrosJelmer Vernooij2-8/+3
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM Add some more PUBLIC_HEADERS (This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
2007-10-10r11377: Add support for building LIBRARY elements as shared libraries:Jelmer Vernooij1-1/+4
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries. - Writes out pkg-config files when building shared libs - Supports automatic fallback to MERGEDOBJ (which is the default) or OBJ_LIST (if ld -r is not supported) Building with shared libs reduces the size of the Samba binaries from 197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging). To build with shared libraries support enabled, run: LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status init functions don't get called correctly yet when using shared libs, so you won't be able to actually run anything with success :-) Once init functions are done, I'll look at support for loading shared modules once again. Based on a patch by Peter Novodvorsky (nidd on IRC). (This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
2007-10-10r11342: Remove unused variables.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett2-19/+44
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11278: fix compiler warningsStefan Metzmacher1-14/+22
metze (This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett2-48/+12
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij1-8/+8
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-2/+1
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11226: Cope with Samba3's behaviour on LDAP with GSS-SPNEGO.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
2007-10-10r11219: Now that we have the credentials hooked in here, we have a much moreAndrew Bartlett1-1/+10
reasonable value to fill in for the mechListMIC. Andrew Bartlett (This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett2-31/+39
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-14/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11212: Enable sealing of data with raw krb5, consolidate some code into theAndrew Bartlett1-61/+63
main gensec_krb5_start and always ask for sequence numbers. Andrew Bartlett (This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett3-32/+51
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r11199: Push an objectSid into the schannel state database, to match the new ↵Andrew Bartlett1-10/+2
header. Andrew Bartlett (This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
2007-10-10r11196: Clean up memory leaks (pointed out by vl), and handle the case whereAndrew Bartlett1-11/+47
the client doesn't guess correctly on the mech to use. It must back off and try the mech the server selected from the list. I'm not particularly attached to our SPNEGO parser, so while I can't easily use the SPNEGO application logic in Heimdal, I'm going to look closely at using the asn1 routines to avoid some pain here. Andrew Bartlett (This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)