summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-10-18s4:auth/unix_token: match s3 behavior and add uid/gid to the groups arrayStefan Metzmacher1-17/+31
If mappings use ID_TYPE_BOTH. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Oct 18 10:39:54 CEST 2011 on sn-devel-104
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett7-42/+49
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: move event-using code to gensec_update() hooks out of gensec_start*()Andrew Bartlett3-39/+77
This ensures that only gensec_update() will require an event context argument when the API is refactored. Andrew Bartlett
2011-10-18s4-auth: match the new s3 gensec client and always negotiate SIGN with SEALAndrew Bartlett1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Prepare gensec_ntlmssp_start() for broader useAndrew Bartlett2-4/+28
This moves the allocation of the ntlmssp pointer back to the callers. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Move ntlmssp code to auth/ntlmsspAndrew Bartlett6-286/+11
This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-13libcli/auth: Provide a struct loadparm_context to schannel callsAndrew Bartlett1-1/+1
This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett
2011-10-11auth: move gensec_start.c to the top levelAndrew Bartlett7-972/+66
This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett
2011-10-11auth: move credentials layer to the top levelAndrew Bartlett14-3656/+4
This will allow gensec_start.c to move to the top level. This does not change what code uses the cli_credentials code, but allows the gensec code to be more broadly. Andrew Bartlett
2011-10-11lib/param move source4 param code to the top levelAndrew Bartlett1-1/+1
This is done so that the lpcfg_ functions are available across the whole build, either with the struct loadparm_context loaded from an smb.conf directly or as a wrapper around the source3 param code. This is not the final, merged loadparm, but simply one step to make it easier to solve other problems while we make our slow progress on this difficult problem. Andrew Bartlett
2011-10-06lib/util: consolidate module loading into common codeAndrew Bartlett4-2/+4
This creates a samba-modules private libary that handles the details. Andrew Bartlett
2011-10-05s4-auth: fixed formatting of some DEBUG() linesAndrew Tridgell1-3/+3
Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Oct 5 09:45:15 CEST 2011 on sn-devel-104
2011-10-04s4-auth: rework map_user_info() to use cracknamesAndrew Tridgell2-13/+215
to properly support multi-domain forests we need to determine if an incoming username is part of a known forest domain or not. To do this for all possible SPN forms, we need to use CrackNames. This changes map_user_info() to use CrackNames if a SAM context is available, and asks the CrackNames services to parse the incoming username and domain into a NT4 form, which can then be used in the SAM. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04s4-sam: don't look in GC NCs for user accountsAndrew Tridgell1-2/+6
We need to exclude GC partial replica naming contexts from SAM lookups Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-19s4:auth - remove unused variablesMatthias Dieter Wallnöfer2-2/+0
Reviewed-by: Jelmer
2011-09-08build: make LIBWBCLIENT_OLD and auth_unix_token librariesAndrew Bartlett1-5/+6
This assists with avoiding duplicate symbols. Andrew Bartlett
2011-09-06s4:auth/gensec: gensec.h was moved to gensec_runtimeStefan Metzmacher1-1/+1
metze
2011-08-21gensec: Install header file.Jelmer Vernooij1-0/+1
2011-08-21samba-credentials: Add pkg-config file.Jelmer Vernooij2-0/+12
2011-08-18credentials: Rename library to samba-credentials to avoid name clashes.Jelmer Vernooij5-14/+14
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-14Use public pytalloc header file.Jelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
2011-08-14s4:misc: remove last usage of legacy event_ fn namesSimo Sorce1-3/+3
Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
2011-08-10pytalloc: Use consistent prefix for functions, add ABI file.Jelmer Vernooij5-56/+56
2011-08-08s4:pycredentials: PyArg_ParseTuple("i") requires an 'int' argument.Stefan Metzmacher1-6/+30
If we pass variable references we don't get implicit casting! metze
2011-08-08build: Make credentials a public library for OpenChange to useAndrew Bartlett1-1/+1
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Aug 8 14:53:53 CEST 2011 on sn-devel-104
2011-08-08build: provide tevent-util as a public libraryAndrew Bartlett2-2/+2
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
2011-08-07pyldb: Consistently use pyldb_ prefix.Jelmer Vernooij1-3/+3
2011-08-03ntlmssp: Add ntlmssp_blob_matches_magic()Andrew Bartlett1-1/+1
This avoids having the same check in 3 different parts of the code Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03gensec: Don't keep a second copy of the auth4_context in gensec_ntlmssp_stateAndrew Bartlett2-7/+4
The auth4_context is already in the gensec_security structure, which is available by de-reference here anyway. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett2-0/+2
This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett8-45/+37
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-03gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett4-18/+11
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett9-923/+172
The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29s4-auth Fill in the remainder of the unix info in auth_session_infoAndrew Bartlett2-5/+45
Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
2011-07-29s4-auth Move conversion of security_token to unix_token to authAndrew Bartlett6-7/+125
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29gensec: Add a way to request a unix token from GENSECAndrew Bartlett3-5/+14
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28s4auth: Fix the object name for Py_SecurityAmitay Isaacs1-1/+1
Use the object names as <modulename>.<objectname> to correctly generate the object hierarchy in pydoc. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28s4auth: Fix the object names for PyCredentials and PyCredentialCacheContainerAmitay Isaacs1-2/+2
Use the object names as <modulename>.<objectname> to correctly generate the object hierarchy in pydoc. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28s4auth: Remove duplicate assignment of structure variableAmitay Isaacs1-1/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-25s4:auth/kerberos: activate windows related krb5 flagsStefan Metzmacher1-0/+10
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
2011-07-20auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett2-2/+6
This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-15s4:auth/credentials: with the build after heimdal importStefan Metzmacher1-0/+1
metze
2011-06-24s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher1-0/+1
metze
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+48
If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
2011-06-22s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher3-5/+134
For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+47
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher1-94/+99
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher1-32/+41
In order to make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher1-24/+76
It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
2011-06-22s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher1-27/+41
This will make the following changes easier to review. metze