summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9418: SPNEGO fixes:Andrew Bartlett1-18/+29
- Fix mixing of code and data - send mechListMic again in SPENGO server - only send optomistic first packet in the client. (This used to be commit 9941da8081ef5a669b0946265860d2f20d3718d3)
2007-10-10r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code backAndrew Bartlett6-170/+160
into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
2007-10-10r9415: Remove old kerberos code (including salt guessing code) that has onlyAndrew Bartlett3-713/+8
caused me pain (and covourty warnings). Simply gensec_gssapi to assume the properties of lorikeet-heimdal, rather than having #ifdef around critical features. This simplifies the code rather a lot. Andrew Bartlett (This used to be commit 11156f556db678c3d325fe5ced5e41a76ed6a3f1)
2007-10-10r9412: Simplfy this NTLM authentication code by requiring the caller toAndrew Bartlett2-96/+42
supply the user_sess_key and lm_sess_key parameters. Inspired by coverty complaining about inconsistant checking. Also factor out some of this code, where we deal with just NT and LM hashes, or embedded plaintext passwords. Andrew Bartlett (This used to be commit ceec35564f44c8043888c8ffa776f137bd1171c8)
2007-10-10r9411: Ensure we don't send a challenge without first getting a negotiate inAndrew Bartlett2-2/+9
NTLMSSP, unless we are in datagram mode (not fully implemented yet). Andrew Bartlett (This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce2-15/+13
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r9357: Remove DBGC_CLASS cruft copied over from Samba 3. I would like toTim Potter7-21/+0
replace this with something funkier. (This used to be commit 8d376d56c78894b9bbd27ed7fa70da415c0cd038)
2007-10-10r9240: - move struct security_token to the idl file, with this we canStefan Metzmacher1-1/+1
the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2007-10-10r9233: Ensure that the output variable is initialised in this conversion fromAndrew Bartlett1-0/+1
error to non-error case. Andrew Bartlett (This used to be commit ab75cd53e7c65fa6242b8dde3bfede735a6b36d5)
2007-10-10r9196: - add a note about the Canonicalize KDCOPtion flagStefan Metzmacher1-0/+15
- add a note about old client using the wrong checksum type for GSSAPI in the Authenticator metze (This used to be commit 07e39bd94c3ce4d255e6cf6e68dc438bb5c9f9e6)
2007-10-10r9165: Fix inverted error check in untested code path. (My untested code...)Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit fba7a0edd4ba29e595bb6ebd77381b383701482d)
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett4-97/+196
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r9022: One more step in the game of whack-a-mole with the PAC.Andrew Bartlett1-7/+27
This makes the PAC we generate match (closely) the PAC generated by my test win2k3 DC. Andrew Bartlett (This used to be commit 6172b1868020ac8e828c375f17f4c33fc40eaca4)
2007-10-10r8980: Make Samba4 honour account control flags (we were asking for aAndrew Bartlett1-3/+5
non-existant field). Also change time(NULL) into an NTTIME for comparison, rather than experience rounding bugs (size of time_t) when converting an NTTIME into a time_t. Andrew Bartlett (This used to be commit 181155f9e059a2eb74a7dd7c34a358724ec88bb8)
2007-10-10r8933: Fix missing prototype warningsJelmer Vernooij1-0/+1
(This used to be commit 39b2220a84b1860d8ee09b8c15049f18fd77da7d)
2007-10-10r8774: make some gensec errors a bit less verboseAndrew Tridgell2-3/+3
(This used to be commit 2134ca475586ed9e062fbf4ef7222fe286c60c57)
2007-10-10r8701: Fix up auth_developer for recent changes.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 1bc5a1190765571719dd0aaacef1413bba812617)
2007-10-10r8700: Propmted by tridge's need to do plaintext auth in ejs, rework theAndrew Bartlett10-379/+398
user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2007-10-10r8676: attribute lists in ldb searches must be NULL terminatedAndrew Tridgell1-1/+1
this is what was causing the panic on the s390 box (This used to be commit 3a49626ae17d6076f0fc54b0453acb459d88297c)
2007-10-10r8644: This is a more useful error than unsuccesful.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit d7136c93fb7ddf27d914329a7c9fd77de22d4356)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell4-8/+12
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8460: removed the unused function krb5_locate_kdc(). It causes a build ↵Andrew Tridgell2-62/+0
failure on irix. Andrew, if you planned on using this in the future then we can put it back and work out how to make it portable (This used to be commit eaa74913fedefbf33f7cfab6648bf05aa3cdbbb3)
2007-10-10r8390: (smb_pam_start): move variable to scope within #ifdef to avoid warningLove Hörnquist Åstrand1-1/+4
for those PAM implementations w/o PAM_RHOST and/or PAM_TTY (This used to be commit 95cb2d942f7cffc9131519c865656fb615395d04)
2007-10-10r8321: Fix some uninitalized variable warningsVolker Lendecke1-1/+1
(This used to be commit 126cb3db4b0cf9c382ba7496ba08311f3b669f00)
2007-10-10r8259: We want to oset the provided flags not zeroSimo Sorce1-1/+1
(This used to be commit 50d8ccacca707738f131e47c739dcfacde1311e6)
2007-10-10r8252: Steal metze's thunder, and prove that with a few small tweaks, we canAndrew Bartlett1-2/+2
now push/pull a sample PAC, and still have the same byte buffer. (Metze set up the string code, and probably already has a similar patch). Unfortunetly win2k3 still doesn't like what we provide, but every step helps. Also use data_blob_const() when we are just wrapping data for API reasons. Andrew Bartlett (This used to be commit e7c8076fc1459ff2ccefdaf0b091d04ee6137957)
2007-10-10r8251: fixed a couple of valgrind errors in the unix auth code. Simo, can youAndrew Tridgell2-1/+2
please check that this is what you intended? (This used to be commit a57738769dfb5a47ac49e965750193ecdc903d5a)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett4-26/+54
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8164: - match the ordering w2k3 uses for the PAC_BUFFER:Stefan Metzmacher2-15/+97
LOGON_INFO LOGON_NAME SRV_CHECKSUM KDC_CHECKSUM - w2k3 also don't use the groupmembership array with rids it uses the othersids array metze (This used to be commit 2286fad27d749ebba14f5448f1f635bb36750c9c)
2007-10-10r8163: if sidcount is zero it happened that we return NT_STATUS_NO_MEMORY...Stefan Metzmacher1-4/+6
metze (This used to be commit a9ff35a1a24f2d2935e67855fee5011ea528029f)
2007-10-10r8156: I found out that the unknown[2] field of the unknown[4] array is a ↵Stefan Metzmacher1-6/+4
length too, it's always 16 bytes smaller than the size in the PAC_BUFFER we now dump the blob's on LOCAL-PAC with -d 10 metze (This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
2007-10-10r8148: - make the PAC generation code a bit more readable and add some outof ↵Stefan Metzmacher1-62/+81
memory checks - move to handmodified pull/push code for PAC_BUFFER to get the _ndr_size field and the subcontext size right - after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive) I found out that the first uint32 before the netr_SamInfo3 was also a pointer, (and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC) w2k3 uses this for unique pointers: ptr = ndr->ptr_count * 4; ptr |= 0x00020000; ndr->ptr_count; - do one more pull/push round with the sample PAC metze (This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett4-103/+142
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8016: Get the keyblock arguments correct. (the context struct changed, butAndrew Bartlett1-2/+2
I forgot to update the users) Andrew Bartlett (This used to be commit 44b86b7e6570e31ab07ce12593fb8834325c52c8)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett2-5/+25
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett8-28/+299
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7991: I forgot to free the keyblock once we are done with it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit a68e348375ab026385e7d5162ed8da8f2adbd84e)
2007-10-10r7989: Allow the use of hashed passwords in the kerberos client and server,Andrew Bartlett2-17/+137
and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2007-10-10r7986: Fix the compile, thanks to HotaruT.Andrew Bartlett1-1/+1
This won't actually work until I get the keyblock filled in again, but at least it will compile. I first need to decide if we want to keep the server-side gensec_krb5 code at all, now we have the GSSAPI layer doing what we want. Andrew Bartlett (This used to be commit 28e49de9293002ee89f0666144c9028daefdde88)
2007-10-10r7980: Forgot to add kerberos_pac.c to this config.mk file.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit bba58a1876353effbef540dd0db9e66db5343c35)
2007-10-10r7979: Metze reminded me to try one more combination, and we can now verifyAndrew Bartlett1-32/+14
the 'PAC', required for interopability with Active Directory. This is still a cludge, as it doesn't handle different encryption types, but that should be fairly easy to fix (needs PIDL/IDL changes). Andrew Bartlett (This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
2007-10-10r7978: A start again on PAC verification. I have noticed that the kerberosAndrew Bartlett3-52/+43
keys appear at the end of the PAC, which I feel is deliberate (it makes this much easier). I still can't make it work, but I'm sure we are closer. Andrew Bartlett (This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
2007-10-10r7968: Pull the PAC from within GSSAPI, rather than only when using our ownAndrew Bartlett4-202/+277
'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
2007-10-10r7965: Remove the GENSEC password callback structure members, as these are noAndrew Bartlett2-5/+0
longer used. Andrew Bartlett (This used to be commit 14be7d95694dd7557af67dc94ee83a983d2f05f6)
2007-10-10r7935: auth_unix now uses crypt(), so depend on -lcrypt.Andrew Bartlett1-1/+1
This builds on the work tridge did to make -lcrypt conditional, rather than globally linked. This was needed for Heimdal stuff, but then I 'fixed' heimdal, and we now reintroduce it here. Andrew Bartlett (This used to be commit 83d9d8f4827280a68dfd07beccf2924c9e0825b0)
2007-10-10r7934: ported samba3 pass_check functions to auth_unix.cSimo Sorce1-5/+332
not having these platforms they are untested, let's hope the buildfarm can catch any problem (This used to be commit 08ec299dcbdc8dba12568b95b636866f147b2e7c)
2007-10-10r7863: removed an unused variableAndrew Tridgell1-1/+0
(This used to be commit 9ee3dbad6b0bc65f4f3ee64a52db765af8016738)
2007-10-10r7862: Updates to the Kerberos notes, based on recent changes and discoveries.Andrew Bartlett1-19/+90
Andrew Bartlett (This used to be commit 7d791d13bcd70288467bf3574d0394d34f973f18)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-8/+7
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the rightAndrew Bartlett2-31/+27
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)