summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11204: Allow us to read credentials from secrets.ldb without aAndrew Bartlett1-6/+2
secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett10-280/+302
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r11199: Push an objectSid into the schannel state database, to match the new ↵Andrew Bartlett1-10/+2
header. Andrew Bartlett (This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
2007-10-10r11196: Clean up memory leaks (pointed out by vl), and handle the case whereAndrew Bartlett1-11/+47
the client doesn't guess correctly on the mech to use. It must back off and try the mech the server selected from the list. I'm not particularly attached to our SPNEGO parser, so while I can't easily use the SPNEGO application logic in Heimdal, I'm going to look closely at using the asn1 routines to avoid some pain here. Andrew Bartlett (This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
2007-10-10r11081: Remember to remove unused variables.Jeremy Allison1-1/+0
Jeremy. (This used to be commit bfa41398a65037c6017b0af0ea1f0423011df150)
2007-10-10r11080: Narrowing down on the #1828 PPC bug. The PPC client sends anJeremy Allison1-19/+7
initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy. (This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
2007-10-10r11076: Still working on bug #1828, PPC hell. The PPC client sends theJeremy Allison1-2/+12
NTLMSSP client and domain strings as Unicode, even when setting flags as OEM. Cope with this. Jeremy. (This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
2007-10-10r11058: remove useless talloc contextStefan Metzmacher1-4/+1
metze (This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76)
2007-10-10r11052: bring samba4 uptodate with the samba4-winsrepl branch,Stefan Metzmacher2-11/+0
before the bad merge metze (This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
2007-10-10r11037:Stefan Metzmacher2-0/+11
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
2007-10-10r10985: To aid in testing, this allows us to easily force kerberos to use ↵Andrew Bartlett1-5/+9
UDP or TCP. Andrew Bartlett (This used to be commit ae0b4028ff7033dab70687376c2090baa692cf58)
2007-10-10r10982: Move credentials.h into auth/credentials, and add flags needed byAndrew Bartlett1-0/+81
previous patch. Andrew Bartlett (This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)
2007-10-10r10981: Pull code to decide between and implement NTLMv2, NTLM and LMAndrew Bartlett4-139/+243
authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
2007-10-10r10945: Free the salt after we are done with it. May need a merge to similarAndrew Bartlett1-2/+4
code in Samba3. Andrew Bartlett (This used to be commit 36e302bac87d0a07c86cc4c841d376c778630dab)
2007-10-10r10913: This patch isn't as big as it looks ...Andrew Tridgell1-9/+9
most of the changes are fixes to make all the ldb code compile without warnings on gcc4. Unfortunately That required a lot of casts :-( I have also added the start of an 'operational' module, which will replace the timestamp module, plus add support for some other operational attributes In ldb_msg_*() I added some new utility functions to make the operational module sane, and remove the 'ldb' argument from the ldb_msg_add_*() functions. That argument was only needed back in the early days of ldb when we didn't use the hierarchical talloc and thus needed a place to get the allocation function from. Now its just a pain to pass around everywhere. Also added a ldb_debug_set() function that calls ldb_debug() plus sets the result using ldb_set_errstring(). That saves on some awkward coding in a few places. (This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
2007-10-10r10894: make the handling of dn/distinguishedName much closer to realAndrew Tridgell1-0/+1
ldap. Also ensure we put a objectclass on our private ldb's, so they have some chance of being stored in ldap if you want to (This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)
2007-10-10r10812: Fix capitalisation (thanks tridge).Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f78982a0f1079b07be6d7bfd9cc0f92c2cebcf1c)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett2-2/+117
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10796: Make getting an anonymous session info a utility function.Andrew Bartlett2-21/+27
Andrew Bartlett (This used to be commit 6021fa373405f8788dc216aae82a3f4a80df4ba7)
2007-10-10r10764: To match Win2k3 SP1, we need to set an anonymous user token forAndrew Bartlett1-10/+21
schannel connections. Test for Win2k3 SP1 behaviour in RPC-SCHANNEL. Andrew Bartlett (This used to be commit 1c3911374ec65e4770c2fe9109d7b7d3ecd99f6a)
2007-10-10r10670: Add notes on things that are TODO in Samba4 kerberos land.Andrew Bartlett1-0/+46
Andrew Bartlett (This used to be commit 5b2114bb9c604e8d36887e1131175da327eabc84)
2007-10-10r10669: reverted jelmers commit 10663 as it was causing lots of panics in ↵Andrew Tridgell2-8/+13
'make test' I also think the method of getting rid of pstring isn't the right one. I certainly do want to get rid of pstring/fstring, but the reason for removing them is the use of arbitrary sized fixed length strings on the stack and in structures. Changing to another fixed length stack string format isn't really a win, and moving to use strncpy() is actually worse than pstrcpy() as strncpy() has the absolutely awful semantics of always zeroing all remaining bytes, so it ends up taking a lot of cpu doing pointless memory writes. I'd rather move to more use of asprintf()/talloc_asprintf() and similar functions for dynamic string allocation. You also have to be very careful about some of these system defined string limits. One some systems PATH_MAX could be 64k or even larger, which can quickly blow the stack out when you allocate a few of them. (This used to be commit 194efd26e42d621b239052ed1fec8da916bd2144)
2007-10-10r10663: Eliminate use of pstringJelmer Vernooij2-13/+8
(This used to be commit 57cfbe51e61e27098fad3f9b1113c6f8f69f9a55)
2007-10-10r10597: And add the .mk files for the new credentials subsystem.Andrew Bartlett1-0/+11
Andrew Bartlett (This used to be commit 51a0275a0e7ffc940f2403f3c74a00b3936a07f4)
2007-10-10r10596: Move the credentials code into it's own subsystem, and push it under ↵Andrew Bartlett3-0/+1103
auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)
2007-10-10r10586: Add MergedObject() builder. Default to Library() ratherJelmer Vernooij2-16/+16
then StaticLibrary() (This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
2007-10-10r10579: str_list_make() can return NULLJelmer Vernooij1-1/+1
(This used to be commit f547ab4644fd1c8ae2e44a25e874abf35e02d986)
2007-10-10r10565: Try to make Kerberos authentication a bit more friendly.Andrew Bartlett2-10/+35
This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
2007-10-10r10561: This patch takes over KDC socket routines in Heimdal, and directs themAndrew Bartlett1-2/+351
at the Samba4 socket layer. The intention here is to ensure that other events may be processed while heimdal is waiting on the KDC. The interface is designed to be sufficiently flexible, so that the plugin may choose how to time communication with the KDC (ie multiple outstanding requests, looking for a functional KDC). I've hacked the socket layer out of cldap.c to handle this very specific case of one udp packet and reply. Likewise I also handle TCP, stolen from the winbind code. This same plugin system might also be useful for a self-contained testing mode in Heimdal, in conjunction with libkdc. I would suggest using socket-wrapper instead however. Andrew Bartlett (This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
2007-10-10r10532: Replace next_token() with str_list_make()Jelmer Vernooij1-9/+8
(This used to be commit 87bb382445292755eff1c29f12358d4509ebe714)
2007-10-10r10513: Reduce some use of pstring. The main reason some parts of the code stillJelmer Vernooij3-5/+3
use pstring is next_token() now. (This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3)
2007-10-10r10509: Some more sconscript fixes. Now getting to link stage for smbclientJelmer Vernooij3-15/+20
(This used to be commit 6df956edbab7ad5e72b2f20e74ab0f0d62528932)
2007-10-10r10478: More work on proto headers; we now generate a couple of smaller onesJelmer Vernooij3-9/+16
that are then included by include/proto.h (This used to be commit 703ffbaaaca11f3d8781cfe9e7542fcaa626d991)
2007-10-10r10464: Use more consistant names.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 1f726906c488355733dc1a3a89c53e194c192e68)
2007-10-10r10447: Add gensec sources to proto.hTim Potter1-1/+6
(This used to be commit 1b675a1bdfa7e50e1b418ae41479f1bebc445064)
2007-10-10r10407: the schannel database does not need to be synchronous (and thus crashAndrew Tridgell1-1/+1
safe) as it is removed on smbd restart (This used to be commit 0951db6a89d15792ee1ea6b9f37c45486958ad57)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett2-3/+3
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10398: Don't do DNS lookups on short names (no .).Andrew Bartlett1-0/+8
Andrew Bartlett (This used to be commit 77aca9619d24a8e118f53bcd1a1e54b8437812a8)
2007-10-10r10390: Remove fstring, pstring and uint32_t from winbindd_nss.h.Volker Lendecke1-6/+6
Volker (This used to be commit 3dc7e67dc5e5844523e9768081123c622e61c7e9)
2007-10-10r10383: This patch is on the road to implementing servers (such as kpasswd) thatAndrew Bartlett1-29/+140
use raw krb5, not GSSAPI. I still keep the 'fake GSSAPI' code, but under the module name 'fake_gssapi_krb5'. Andrew Bartlett (This used to be commit 99efec2758ad6c996db65dd42cb72a81077c9b2b)
2007-10-10r10377: Save configuration stuff to sconf.cache so it isn't annoyingly runTim Potter1-3/+4
at every single build. Run 'scons configure=1' or delete sconf.cache to force checks to be re-run. Jelmer, I think this stuff is cached in the .sconf_cache directory but the message is still displayed and it looks like it caches the compiled test object file not the actual result of the test. (This used to be commit 9d001dc083937bbf5642af90bc8a8b1a27825de0)
2007-10-10r10372: Having gone to all the effort to uppercase the realm, actually set theAndrew Bartlett1-1/+1
upper-case realm. Andrew Bartlett (This used to be commit 3e38456dd5c40730f3203e89393dad2b97996d56)
2007-10-10r10366: More scons fixes. Building et, asn1, lex and yacc files sort-of ↵Jelmer Vernooij1-1/+6
works now (This used to be commit 22f18a84242e5e68a2d57b6d7ff77c089ee7434a)
2007-10-10r10364: Turn gensec:gssapi on by default, except for a login of the formAndrew Bartlett2-24/+24
-Udomain\\user. This will probably break in a few configurations, so please let me know. I'll also work to have a way to inhibit kerberos/ntlmssp, as this removes -k. Andrew Bartlett (This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij4-0/+30
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10337: This grubby little hack is the implementation of a concept discussedAndrew Bartlett1-0/+5
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at all for expanding short names into long names. Using the 'override krb5_init_context' code already in the tree, this removes the DNS lag on a kerberos session setup/connection. Andrew Bartlett (This used to be commit de3ceab3d064a286e8662a2b9b62b212f0454156)
2007-10-10r10330: Add SConscript to more subsystems. Some of the tdb tools build now.Jelmer Vernooij1-0/+1
Start on custom Samba scons tools (for handling proto generation, pidl, etc) (This used to be commit 4bffe4435944fffa3f9680b5a2fe63f2bdd98003)
2007-10-10r10292: This is set below from lp_server_role().Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit 096c751f37172b06bb42b5c4d73b2743322d2f71)
2007-10-10r10291: The patch optionally (off by default, not available in all cases) allowsAndrew Bartlett4-22/+81
Samba to use the target principal name supplied in the mechTokenMIC of an SPNEGO negTokenInit. This isn't a great idea for security reasons, but is how Samba3 behaves, and allows kerberos to function more often in some environments. It is only available for CIFS session setups, due to the ordering of the exchange. Andrew Bartlett (This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
2007-10-10r10286: This patch is ugly and disgusting, but for now it works better than ↵Andrew Bartlett5-118/+158
the other ideas I have had. When I get a full list of things I want to do to a krb5_context I'll either add gsskrb5_ wrappers, or a way of speicfying the krb5 context per gssapi context. (I want to ensure that the only krb5_context variables created while executing Samba4 are via our wrapper). Andrew Bartlett (This used to be commit 8a22d46e70e9f863831aba0c9913d195f833d625)