summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2011-12-29s4-gensec: Rename memory contexts in gensec_util for greater clarityAndrew Bartlett1-2/+2
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec: Rename memory contexts in gensec_krb5 for greater clarityAndrew Bartlett1-16/+16
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec: Rename memory contexts in gensec_gssapi for greater clarityAndrew Bartlett1-16/+16
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec remove auth_session dep from gensec_gssapi.cAndrew Bartlett1-1/+1
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
2011-12-29s4-gensec Remove fallback for simple privilegesAndrew Bartlett1-6/+2
This makes the dependencies simpler, as this code path is no longer required. (That is, it makes no sense to have an NTLM login without an auth context, and the gensec_gssapi and gensec_krb5 modules call the PAC blob function below instead). Andrew Bartlett
2011-12-29s4-torture: Demonstrate handling of the PAC in a custom auth_contextAndrew Bartlett2-59/+5
This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett4-146/+152
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29s4-gensec: fix cyrus sasl module after update() protype changeAndrew Bartlett1-0/+1
2011-12-28s4-gensec: Allow a PAC to be obtained from any GSS mechAndrew Bartlett1-7/+0
This may allow Luke Howard's moonshot to work with a little less effort at some point in the future. Andrew Bartlett
2011-12-07auth: Allow a NULL principal to be obtained from the credentialsAndrew Bartlett1-1/+4
This is important when trying to let GSSAPI search the keytab. Andrew Bartlett
2011-11-30s4:gensec/spnego: only try the mechs that match the client given onesStefan Metzmacher1-0/+4
Windows-Members of NT4/Samba3 domains, send MechTypes: 1.3.6.1.4.1.311.2.2.10 [NTLMSSP] 1.2.840.48018.1.2.2 [krb5 broken] 1.2.840.113554.1.2.2 [krb5] MechToken for NTLMSSP. This patch makes sure we start NTLMSSP with the given MechToken, instead of trying to pass the NTLMSSP MechToken to the krb5 backend first. As that would fail the authentication with an error instead of trying fallbacks. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett5-41/+48
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: move event-using code to gensec_update() hooks out of gensec_start*()Andrew Bartlett3-39/+77
This ensures that only gensec_update() will require an event context argument when the API is refactored. Andrew Bartlett
2011-10-13libcli/auth: Provide a struct loadparm_context to schannel callsAndrew Bartlett1-1/+1
This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett
2011-10-11auth: move gensec_start.c to the top levelAndrew Bartlett6-972/+65
This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett
2011-10-11auth: move credentials layer to the top levelAndrew Bartlett1-0/+4
This will allow gensec_start.c to move to the top level. This does not change what code uses the cli_credentials code, but allows the gensec code to be more broadly. Andrew Bartlett
2011-10-06lib/util: consolidate module loading into common codeAndrew Bartlett2-1/+2
This creates a samba-modules private libary that handles the details. Andrew Bartlett
2011-09-19s4:auth - remove unused variablesMatthias Dieter Wallnöfer1-1/+0
Reviewed-by: Jelmer
2011-09-06s4:auth/gensec: gensec.h was moved to gensec_runtimeStefan Metzmacher1-1/+1
metze
2011-08-21gensec: Install header file.Jelmer Vernooij1-0/+1
2011-08-18credentials: Rename library to samba-credentials to avoid name clashes.Jelmer Vernooij1-5/+5
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-14Use public pytalloc header file.Jelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
2011-08-14s4:misc: remove last usage of legacy event_ fn namesSimo Sorce1-3/+3
Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
2011-08-10pytalloc: Use consistent prefix for functions, add ABI file.Jelmer Vernooij1-20/+20
2011-08-08build: provide tevent-util as a public libraryAndrew Bartlett1-1/+1
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
2011-08-03s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett2-0/+2
This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett6-38/+28
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-03gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett3-16/+11
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett9-923/+172
The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29gensec: Add a way to request a unix token from GENSECAndrew Bartlett2-5/+13
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28s4auth: Fix the object name for Py_SecurityAmitay Isaacs1-1/+1
Use the object names as <modulename>.<objectname> to correctly generate the object hierarchy in pydoc. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett1-0/+1
This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-17s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST'Andrew Tridgell1-1/+1
this prevents spurious error messages on client commands when when we will fallback to NTLM authentication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-08s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handlerAndrew Bartlett1-0/+59
This allows us to print much more debugging in this critical situation. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
2011-06-06s4-modules Remove lp_ctx from init functions that no longer need itAndrew Bartlett3-5/+5
Now that we don't allow the smb.conf to change the modules dir, many functions that simply load modules or initialise a subsytem that may load modules no longer need an lp_ctx. Andrew Bartlett
2011-05-18s4:gensec_gssapi: avoid delegation if s4u2self/proxy is usedStefan Metzmacher1-0/+4
metze
2011-05-08s4-auth Rename auth -> auth4 to avoid conflict with s3 authAndrew Bartlett3-7/+7
2011-05-04sasl_secret_t ends in a char [1] size. This means the extra character is ↵Jeremy Allison1-2/+2
implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.
2011-04-27s4-gensec: Use new common 'obtain the PAC' functions.Andrew Bartlett1-15/+4
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
2011-04-27libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/authAndrew Bartlett1-38/+0
This will allow the GSSAPI PAC fetch code to use it. Andrew Bartlett
2011-04-20libcli/auth Move PAC parsing and verification in common.Andrew Bartlett1-2/+2
This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
2011-04-06lib: make asn1_util a private libraryAndrew Tridgell1-1/+1
this prevents symbol duplication of the asn1 symbols in the service and ntvfs subsystems Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-05auth: Move auth_session_info into IDLAndrew Bartlett1-1/+1
This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-03-22s4:python bindings - handle NULL returns from "loadparm_init_global"Matthias Dieter Wallnöfer1-0/+10
Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Mar 22 19:52:57 CET 2011 on sn-devel-104
2011-03-19source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij7-1/+11
2011-03-04s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.cGünther Deschner1-1/+1
Guenther
2011-02-24build: moved spnego_parse.c into a common subsystemAndrew Tridgell1-2/+2
2011-02-24build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystemAndrew Tridgell1-2/+2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell1-1/+1
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett4-21/+42
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett