summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-06-08s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handlerAndrew Bartlett1-0/+59
This allows us to print much more debugging in this critical situation. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
2011-06-08s4-credentials Don't use expired Kerberos or GSSAPI credentialsAndrew Bartlett1-4/+57
In a long-lived credentials cache situation, we may need to refetch the ticket after (say) 10 hours. This code should help that happen, by checking the lifetime before returning any credentials cache or GSSAPI credentials. Andrew Bartlett
2011-06-08s4-credentials Allow use of file-based credentials caches for debugging.Andrew Bartlett1-3/+9
This means that we will leave a slew of file based credentials caches in /tmp, which should give some clues to the administrator or developer via klist as to what has gone wrong. Andrew Bartlett
2011-06-07s4-auth Move default auth methods back into auth.cAndrew Bartlett1-4/+6
This changes auth_methods_from_lp to no longer use the parametric options, and to cope with ROLE_DOMAIN_BDC and ROLE_DOMAIN_PDC. This will assist in calling the source4 auth subsystem with a source3 derived lp_ctx. Andrew Bartlett
2011-06-06s4-modules Remove lp_ctx from init functions that no longer need itAndrew Bartlett3-5/+5
Now that we don't allow the smb.conf to change the modules dir, many functions that simply load modules or initialise a subsytem that may load modules no longer need an lp_ctx. Andrew Bartlett
2011-05-21s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain"Matthias Dieter Wallnöfer1-1/+1
Signed-off-by: Metze
2011-05-18s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROSStefan Metzmacher1-0/+1
Otherwise we would not impersonate the desired principal. This still doesn't work for plaintext auth, but should avoid ntlmssp. metze
2011-05-18s4:auth/credentials: pass 'self_service' to ↵Stefan Metzmacher4-7/+32
cli_credentials_set_impersonate_principal() This also adds a cli_credentials_get_self_service() helper function. In order to support S4U2Proxy we need to be able to set the service principal for the S4U2Self step independent of the target principal. metze
2011-05-18s4:gensec_gssapi: avoid delegation if s4u2self/proxy is usedStefan Metzmacher1-0/+4
metze
2011-05-08s4-auth Rename auth -> auth4 to avoid conflict with s3 authAndrew Bartlett18-74/+74
2011-05-08s4-auth: remove unused prototypeAndrew Tridgell1-4/+1
2011-05-05s4-auth: removed the password combinations code in auth_unixAndrew Tridgell1-39/+4
this code never did anything due to a typo, and was untested. We should not be inluding a password cracker in Samba anyway. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu May 5 07:00:14 CEST 2011 on sn-devel-104
2011-05-04sasl_secret_t ends in a char [1] size. This means the extra character is ↵Jeremy Allison1-2/+2
implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.
2011-05-03Remove strlower_m() and strupper_m() from source4 and common code.Andrew Bartlett1-14/+14
This function is problematic because a string may expand in size when changed into upper or lower case. This will then push characters off the end of the string in the s3 implementation, or panic in the former s4 implementation. Andrew Bartlett
2011-05-03s4-messaging Rename messaging -> imessagingAndrew Bartlett5-16/+16
This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
2011-04-29s4-param Remove config_path() -> lpcfg_config_path()Andrew Bartlett1-1/+1
This is consistent with lock_path() Andrew Bartlett
2011-04-27s4-gensec: Use new common 'obtain the PAC' functions.Andrew Bartlett1-15/+4
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
2011-04-27libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/authAndrew Bartlett1-38/+0
This will allow the GSSAPI PAC fetch code to use it. Andrew Bartlett
2011-04-20libcli/auth Move PAC parsing and verification in common.Andrew Bartlett3-336/+19
This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
2011-04-14s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3Andrew Bartlett2-9/+9
The s3 function doesn't use the keytab_container concept. Andrew Bartlett
2011-04-14libcli/auth Move krb5 wrapper functions from s3 into commonAndrew Bartlett3-113/+4
This requires a small rework of the build system to ensure that the correct #define statements are made in both the s3 and top level builds. We now define the various HAVE_ macros in config.h at all times, using heimdal_build/wscript_configure when that is in use. Andrew Bartlett
2011-04-06lib: make asn1_util a private libraryAndrew Tridgell2-2/+2
this prevents symbol duplication of the asn1 symbols in the service and ntvfs subsystems Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-05auth: Move auth_session_info into IDLAndrew Bartlett4-104/+16
This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05s4-auth: Always talloc_zero() the struct auth_session_infoAndrew Bartlett1-1/+1
2011-04-04s4-krb5: be a bit less verbose about krb5 packetsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-03-28Fix inspired by work done by David Disseldorp for bug #8040 - smbclient ↵Jeremy Allison1-4/+10
segfaults when a Cyrillic netbios name or workgroup is configured. Change msrpc_gen to return NTSTATUS and ensure everywhere this is used it is correctly checked to return that status. Jeremy.
2011-03-22s4:python bindings - handle NULL returns from "loadparm_init_global"Matthias Dieter Wallnöfer1-0/+10
Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Mar 22 19:52:57 CET 2011 on sn-devel-104
2011-03-22s4:auth/system_session.c - check for OOMMatthias Dieter Wallnöfer1-0/+2
Reviewed-by: Jelmer
2011-03-19source4/auth: Fix prototypes for all functions.Jelmer Vernooij6-1/+17
2011-03-19source4/auth/ntlm: Fix prototypes for all functions.Jelmer Vernooij7-0/+13
2011-03-19source4/auth/gensec: Fix prototypes for all functions.Jelmer Vernooij7-1/+11
2011-03-14Fix public header not to include private (not installed) ones.Simo Sorce2-1/+2
Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-04s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.cGünther Deschner3-26/+1
Guenther
2011-02-28Fix some typesJelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28tdb: Use <tdb.h> to include tdb so system headers are found when building ↵Jelmer Vernooij2-2/+2
against system tdb.
2011-02-24build: moved spnego_parse.c into a common subsystemAndrew Tridgell1-2/+2
2011-02-24build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystemAndrew Tridgell1-2/+2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24build: moved libcli/auth/ntlmssp*.c into a common libcliauth.so libraryAndrew Tridgell3-7/+4
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-22s4-auth Move libcli/security/session.c to the top levelAndrew Bartlett2-8/+2
This code is now useful in common, as the elements of the auth_session_info structure have now been defined in common IDL. Andrew Bartlett
2011-02-18s4-auth: rename 'auth' subsystem to 'auth4'Andrew Tridgell5-25/+25
this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-14librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).Günther Deschner1-1/+1
Simo, please check. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell4-4/+4
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10s4-krb5: authkrb5 should depend on ldbAndrew Tridgell1-1/+1
this fixes the include path to add ldb Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10libcli/named_pipe_auth Change from 'info3' to auth_session_info_transportAndrew Bartlett2-0/+157
This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10auth Move auth_sam_reply into the top level.Andrew Bartlett2-397/+0
These functions provide conversions between some netlogon.idl and auth.idl structures Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09s4-auth Fix setting of bad_password_count in ↵Andrew Bartlett1-1/+1
auth_convert_user_info_dc_sambaseinfo() Discovered during the convertion to auth_user_info. Andrew Bartlett
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett22-666/+705
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-09s4-auth Add auth.idl to encode auth subsystem structures in IDLAndrew Bartlett1-0/+1
This is not only a useful way to encode stuff, it also allows python to handle the structures, and natrually allows them to be NDR encoded. Andrew Bartlett
2011-02-08pam: share pam errors in a common location.Günther Deschner4-166/+1
Guenther
2011-02-02s4-python Ensure we add the Samba python path first.Andrew Bartlett1-1/+1
This exact form of the construction is important, and we match on it in the installation scripts. Andrew Bartlett