summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij5-35/+39
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-2/+1
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11226: Cope with Samba3's behaviour on LDAP with GSS-SPNEGO.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett5-29/+51
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11219: Now that we have the credentials hooked in here, we have a much moreAndrew Bartlett1-1/+10
reasonable value to fill in for the mechListMIC. Andrew Bartlett (This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
2007-10-10r11218: Always return the mutual authentication reply (needed for kpasswd),Andrew Bartlett1-45/+12
and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett4-47/+140
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.Andrew Bartlett1-27/+1
I'm also worried this might cause loops, if we get a 'force password change', and the prompter tries to 'deal with it'. Andrew Bartlett (This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij4-54/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11212: Enable sealing of data with raw krb5, consolidate some code into theAndrew Bartlett1-61/+63
main gensec_krb5_start and always ask for sequence numbers. Andrew Bartlett (This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
2007-10-10r11209: We can't read the priorSecret unless we ask for it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
2007-10-10r11204: Allow us to read credentials from secrets.ldb without aAndrew Bartlett1-6/+2
secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett10-280/+302
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r11199: Push an objectSid into the schannel state database, to match the new ↵Andrew Bartlett1-10/+2
header. Andrew Bartlett (This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
2007-10-10r11196: Clean up memory leaks (pointed out by vl), and handle the case whereAndrew Bartlett1-11/+47
the client doesn't guess correctly on the mech to use. It must back off and try the mech the server selected from the list. I'm not particularly attached to our SPNEGO parser, so while I can't easily use the SPNEGO application logic in Heimdal, I'm going to look closely at using the asn1 routines to avoid some pain here. Andrew Bartlett (This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
2007-10-10r11081: Remember to remove unused variables.Jeremy Allison1-1/+0
Jeremy. (This used to be commit bfa41398a65037c6017b0af0ea1f0423011df150)
2007-10-10r11080: Narrowing down on the #1828 PPC bug. The PPC client sends anJeremy Allison1-19/+7
initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy. (This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
2007-10-10r11076: Still working on bug #1828, PPC hell. The PPC client sends theJeremy Allison1-2/+12
NTLMSSP client and domain strings as Unicode, even when setting flags as OEM. Cope with this. Jeremy. (This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
2007-10-10r11058: remove useless talloc contextStefan Metzmacher1-4/+1
metze (This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76)
2007-10-10r11052: bring samba4 uptodate with the samba4-winsrepl branch,Stefan Metzmacher2-11/+0
before the bad merge metze (This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
2007-10-10r11037:Stefan Metzmacher2-0/+11
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
2007-10-10r10985: To aid in testing, this allows us to easily force kerberos to use ↵Andrew Bartlett1-5/+9
UDP or TCP. Andrew Bartlett (This used to be commit ae0b4028ff7033dab70687376c2090baa692cf58)
2007-10-10r10982: Move credentials.h into auth/credentials, and add flags needed byAndrew Bartlett1-0/+81
previous patch. Andrew Bartlett (This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)
2007-10-10r10981: Pull code to decide between and implement NTLMv2, NTLM and LMAndrew Bartlett4-139/+243
authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
2007-10-10r10945: Free the salt after we are done with it. May need a merge to similarAndrew Bartlett1-2/+4
code in Samba3. Andrew Bartlett (This used to be commit 36e302bac87d0a07c86cc4c841d376c778630dab)
2007-10-10r10913: This patch isn't as big as it looks ...Andrew Tridgell1-9/+9
most of the changes are fixes to make all the ldb code compile without warnings on gcc4. Unfortunately That required a lot of casts :-( I have also added the start of an 'operational' module, which will replace the timestamp module, plus add support for some other operational attributes In ldb_msg_*() I added some new utility functions to make the operational module sane, and remove the 'ldb' argument from the ldb_msg_add_*() functions. That argument was only needed back in the early days of ldb when we didn't use the hierarchical talloc and thus needed a place to get the allocation function from. Now its just a pain to pass around everywhere. Also added a ldb_debug_set() function that calls ldb_debug() plus sets the result using ldb_set_errstring(). That saves on some awkward coding in a few places. (This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
2007-10-10r10894: make the handling of dn/distinguishedName much closer to realAndrew Tridgell1-0/+1
ldap. Also ensure we put a objectclass on our private ldb's, so they have some chance of being stored in ldap if you want to (This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)
2007-10-10r10812: Fix capitalisation (thanks tridge).Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f78982a0f1079b07be6d7bfd9cc0f92c2cebcf1c)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett2-2/+117
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10796: Make getting an anonymous session info a utility function.Andrew Bartlett2-21/+27
Andrew Bartlett (This used to be commit 6021fa373405f8788dc216aae82a3f4a80df4ba7)
2007-10-10r10764: To match Win2k3 SP1, we need to set an anonymous user token forAndrew Bartlett1-10/+21
schannel connections. Test for Win2k3 SP1 behaviour in RPC-SCHANNEL. Andrew Bartlett (This used to be commit 1c3911374ec65e4770c2fe9109d7b7d3ecd99f6a)
2007-10-10r10670: Add notes on things that are TODO in Samba4 kerberos land.Andrew Bartlett1-0/+46
Andrew Bartlett (This used to be commit 5b2114bb9c604e8d36887e1131175da327eabc84)
2007-10-10r10669: reverted jelmers commit 10663 as it was causing lots of panics in ↵Andrew Tridgell2-8/+13
'make test' I also think the method of getting rid of pstring isn't the right one. I certainly do want to get rid of pstring/fstring, but the reason for removing them is the use of arbitrary sized fixed length strings on the stack and in structures. Changing to another fixed length stack string format isn't really a win, and moving to use strncpy() is actually worse than pstrcpy() as strncpy() has the absolutely awful semantics of always zeroing all remaining bytes, so it ends up taking a lot of cpu doing pointless memory writes. I'd rather move to more use of asprintf()/talloc_asprintf() and similar functions for dynamic string allocation. You also have to be very careful about some of these system defined string limits. One some systems PATH_MAX could be 64k or even larger, which can quickly blow the stack out when you allocate a few of them. (This used to be commit 194efd26e42d621b239052ed1fec8da916bd2144)
2007-10-10r10663: Eliminate use of pstringJelmer Vernooij2-13/+8
(This used to be commit 57cfbe51e61e27098fad3f9b1113c6f8f69f9a55)
2007-10-10r10597: And add the .mk files for the new credentials subsystem.Andrew Bartlett1-0/+11
Andrew Bartlett (This used to be commit 51a0275a0e7ffc940f2403f3c74a00b3936a07f4)
2007-10-10r10596: Move the credentials code into it's own subsystem, and push it under ↵Andrew Bartlett3-0/+1103
auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)
2007-10-10r10586: Add MergedObject() builder. Default to Library() ratherJelmer Vernooij2-16/+16
then StaticLibrary() (This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
2007-10-10r10579: str_list_make() can return NULLJelmer Vernooij1-1/+1
(This used to be commit f547ab4644fd1c8ae2e44a25e874abf35e02d986)
2007-10-10r10565: Try to make Kerberos authentication a bit more friendly.Andrew Bartlett2-10/+35
This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
2007-10-10r10561: This patch takes over KDC socket routines in Heimdal, and directs themAndrew Bartlett1-2/+351
at the Samba4 socket layer. The intention here is to ensure that other events may be processed while heimdal is waiting on the KDC. The interface is designed to be sufficiently flexible, so that the plugin may choose how to time communication with the KDC (ie multiple outstanding requests, looking for a functional KDC). I've hacked the socket layer out of cldap.c to handle this very specific case of one udp packet and reply. Likewise I also handle TCP, stolen from the winbind code. This same plugin system might also be useful for a self-contained testing mode in Heimdal, in conjunction with libkdc. I would suggest using socket-wrapper instead however. Andrew Bartlett (This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
2007-10-10r10532: Replace next_token() with str_list_make()Jelmer Vernooij1-9/+8
(This used to be commit 87bb382445292755eff1c29f12358d4509ebe714)
2007-10-10r10513: Reduce some use of pstring. The main reason some parts of the code stillJelmer Vernooij3-5/+3
use pstring is next_token() now. (This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3)
2007-10-10r10509: Some more sconscript fixes. Now getting to link stage for smbclientJelmer Vernooij3-15/+20
(This used to be commit 6df956edbab7ad5e72b2f20e74ab0f0d62528932)
2007-10-10r10478: More work on proto headers; we now generate a couple of smaller onesJelmer Vernooij3-9/+16
that are then included by include/proto.h (This used to be commit 703ffbaaaca11f3d8781cfe9e7542fcaa626d991)
2007-10-10r10464: Use more consistant names.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 1f726906c488355733dc1a3a89c53e194c192e68)
2007-10-10r10447: Add gensec sources to proto.hTim Potter1-1/+6
(This used to be commit 1b675a1bdfa7e50e1b418ae41479f1bebc445064)
2007-10-10r10407: the schannel database does not need to be synchronous (and thus crashAndrew Tridgell1-1/+1
safe) as it is removed on smbd restart (This used to be commit 0951db6a89d15792ee1ea6b9f37c45486958ad57)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett2-3/+3
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10398: Don't do DNS lookups on short names (no .).Andrew Bartlett1-0/+8
Andrew Bartlett (This used to be commit 77aca9619d24a8e118f53bcd1a1e54b8437812a8)
2007-10-10r10390: Remove fstring, pstring and uint32_t from winbindd_nss.h.Volker Lendecke1-6/+6
Volker (This used to be commit 3dc7e67dc5e5844523e9768081123c622e61c7e9)