summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r7352: the internal heimdal build change. This changes quite a few things:Andrew Tridgell3-4/+5
- if you want kerberos now, you need to unpack a lorikeet heimdal tree in source/heimdal/. If source/heimdal/ does not exist at configure time then all kerberos features are disabled. You cannot use an external kerberos library for now. That may change later. - moved lib/replace/ config stuff to lib/replace/ and create a lib/replace/replace.h. That allows the heimdal build to use our portability layer, and prevenets duplicate definitions of functions like strlcat() - if you do enable heimdal, then you will need to do 'make HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once I explain the problem to jelmer (the problem is the inability to set a depend without also dragging in the object list of the dependency. We need this for building the heimdal asn1 compiler and et compiler. - disabled all of the m4 checks for external kerberos libraries. I left them in place in auth/kerberos/, but disabled it in configure.in some of the heimdal_build/ code is still very rough, for example I don't correctly detect the correct awk, flex, bison replacements for heimdal_build/build_external.sh. I expect to fix that stuff up over the next few days. (This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
2007-10-10r7306: Use a consistant #define for detecting support for the Heimdal krb5Andrew Bartlett3-9/+9
log redirection code. Andrew Bartlett (This used to be commit 93335d587d9f48c46d9c3b91237f649693cf3003)
2007-10-10r7303: autodetect the libkdc and our kdc supportStefan Metzmacher1-7/+28
btw: I use this for configuring heimdal >>> CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \ CC=gcc-4.0 \ ./configure -C --prefix=$HOME/prefix/heimdal-test \ --sysconfdir=/etc \ --enable-shared=no \ --with-ldb=$HOME/prefix/ldb \ --without-openldap \ --without-openssl $@" echo $CONFIG eval $CONFIG >>> maybe you also want to use --disable-berkeley-db metze (This used to be commit 2aec140e00770df78ba31ef91109634ce0aa3d8a)
2007-10-10r7291: Additional notes on what we require from a kerberos implementation.Andrew Bartlett1-1/+36
Andrew Bartlett (This used to be commit a8d3493b6f7a0c28465b00bbadf24e152422e4b5)
2007-10-10r7285: It appears that MIT Kerberos does not have the log redirectionAndrew Bartlett3-2/+23
facility that I'm using. This should let us compile the non-KDC components on MIT again. Andrew Bartlett (This used to be commit ae9c2d2b54a979ab8467c847b62dd2c2a0fa059f)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett6-89/+159
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7269: talloc_steal() is preferred where possible, as it can't fail and doesAndrew Bartlett1-2/+2
not have some of the issues of talloc_reference(). Andrew Bartlett (This used to be commit 2fb413355a7cd7b5cee02237d2fbff91381435e5)
2007-10-10r7258: Fix the final linking error with libkdc - we need to link libhdb as well.Andrew Bartlett1-0/+1
With this fix, I can request tickets from our built-in KDC! Andrew Bartlett (This used to be commit d7cd76013bdf000831790b29b9d0b401151bf5c2)
2007-10-10r7257: Ensure the error message can never be uninitialised.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit fdd964582a4b102978fbc29dbf71de52bd30a155)
2007-10-10r7242: typoSimo Sorce1-1/+1
(This used to be commit 4444585f06cf8a061a615002107cbb7560604f7f)
2007-10-10r7241: The KDC almost links...Andrew Bartlett1-0/+5
Using current lorikeet/heimdal, and with the KDC module enabled (it is disabled by default), I almost get the KDC to link. (To enable the KDC for testing, comment out the only line in smbd/config.m4, and add 'kdc' to the 'server services' line in smb.conf). (This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)
2007-10-10r7240: Don't call our fancy error message routines on a null context.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 35877387c8e345d30d7598d1a139067a26cc1f7f)
2007-10-10r7233: what about filling that new element ?Simo Sorce1-0/+3
(This used to be commit 6a5e48c35cba801b16172cf6ff06b1d4116fb018)
2007-10-10r7232: add some more auth stuffSimo Sorce3-80/+442
enables us to authenticate against system users (only PAM support right now) (This used to be commit 0c894de58b7850a2905b73eb17c42d7e87cb9f87)
2007-10-10r7224: add some more usefull data to the auth_usersupplied_info structSimo Sorce2-5/+14
(This used to be commit e40c44e9cdc0be7c52207f8479568804e7d9cff2)
2007-10-10r7219: Don't allow 'binding' to be used uninitilaised.Andrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 3dd730fbc880ddc4f2efc6105cd21ec45f4afdd5)
2007-10-10r7218: Don't use an uninitialised variable in an error message.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 1f68cf7d0eb5de18da7f9d14c729caf314740601)
2007-10-10r6939: Get rid of SUBSYSTEM::NDR since all it did was require NDR_RAW.Tim Potter1-2/+2
(This used to be commit e077d9948f1406c61982d49c2fd925852fdf6553)
2007-10-10r6883: Move to what simo assures me is the 'correct' way to find the NetBIOSAndrew Bartlett1-12/+35
and long names for a domain. Add servicePrincipalName mapping table (administrator configurable), in the same spot as microsoft uses. Andrew Bartlett (This used to be commit c25e78b4b34384a3a79a920f50f01be696a048ba)
2007-10-10r6882: Put in configure tests and #ifdef to keep Samba building on older ↵Andrew Bartlett2-1/+4
Heimdal. Andrew Bartlett (This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
2007-10-10r6839: Add support for building subsystems as shared libraries. This can beJelmer Vernooij1-2/+2
done by setting: OUTPUT_TYPE = SHARED_LIBRARY in the [SUBSYSTEM::...] section belonging to a subsystem. The idea is to allow multiple values to OUTPUT_TYPE simultaneously (e.g. OUTPUT_TYPE = SHARED_LIBRARY, STATIC_LIBRARY, OBJLIST ) (This used to be commit b9d0ae93ba86fec0115f58e7940b2a6c908bc809)
2007-10-10r6838: Remove unnecessary calls to gensec_gsskrb5Jelmer Vernooij1-4/+0
Make the build system give a proper warning about this in the future (This used to be commit 2d980465af87d25ce17b8340c6b5f662ef29edd3)
2007-10-10r6819: More notes on krb5 requirementsAndrew Bartlett1-18/+66
Andrew Bartlett (This used to be commit dbd845998723987c75dc0e6a427330116dce0bf4)
2007-10-10r6810: Rename auth/{ntlmssp,gensec,kerberos} mk and m4 files to be calledTim Potter5-0/+5
config.mk and config.m4 to be consistent with the rest of Samba. (This used to be commit f377c71e4f0d60684326906dfb65e4581294ec34)
2007-10-10r6805: Remove two remaining references to gensec_gsskrb5Jelmer Vernooij2-5/+0
(This used to be commit a02e07739781eb00b521d050ab06d6b0aedf47bc)
2007-10-10r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. ThisAndrew Bartlett3-32/+11
should allow us to ditch the local static storage for OIDs, as well as fix the build on non-heimdal platforms. Andrew Bartlett (This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
2007-10-10r6801: It appears that krb5_make_principal, while convenient, is not portable.Andrew Bartlett1-4/+13
Andrew Bartlett (This used to be commit c8e8fa129ed0c80bcd289445935047c28d48da64)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett10-335/+557
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6799: Remove a rudundent variable from the context structure - we can figureAndrew Bartlett3-6/+4
this out by asking GENSEC, just like everybody else. Andrew Bartlett (This used to be commit 0268d6c46b73bf2097247639df2532b5e8591531)
2007-10-10r6797: Typo fix.Rafal Szczesniak1-1/+1
rafal (This used to be commit 0f9a2aef6c87bd53c962b33bf78bf773d2319b97)
2007-10-10r6796: Remove the gensec_gsskrb5 module, which had had all of it's specialAndrew Bartlett2-594/+0
features merged back into gensec_gssapi. (Removed because I've made some API changes, and it isn't worth 'fixing' the rudundent code to cope with changes) Andrew Bartlett (This used to be commit e8cf3d58ec956e41fc8d3e38363db3d5d838fe1d)
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-1/+1
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6794: spellfixSimo Sorce1-3/+3
(This used to be commit f5956d150154cb4393dc323ae8ae1f936adee355)
2007-10-10r6793: Move auth_sam to use the dnsDomain rather than theAndrew Bartlett1-1/+1
soon-to-be-depricated 'realm'. Add torture test for this behaviour. Andrew Bartlet (This used to be commit 6b9020661a13fd5ec6c5d1e21344d9f654978987)
2007-10-10r6792: Allow a mech to fail on the first pass at the packet, and still fallAndrew Bartlett1-0/+2
back to the other options. Andrew Bartlett (This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
2007-10-10r6791: My early notes on the particular things I have discovered as I learnAndrew Bartlett1-0/+176
kerberos, and how Microsoft constructs their kerberos implementation. Andrew Bartlett (This used to be commit 5fa9be75d987af106fd798f6d5379b637a170b00)
2007-10-10r6767: Fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45a0692be10a03032f9a4e26da3de08696c03464)
2007-10-10r6740: make gensec_gssapi.c compile againAndrew Tridgell1-1/+1
(This used to be commit 6d15e9511115cc30ee213ec91320a2dccde15b8f)
2007-10-10r6738: My version of the patch by metze that I just reverted (-r 6734).Andrew Bartlett3-56/+83
This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2007-10-10r6737: Explain these error returns a bit better.Andrew Bartlett1-2/+5
Andrew Bartlett (This used to be commit 77d054c65aeecfc0d1156d750f7b8025cb154d3a)
2007-10-10r6736: Revert metze's -r 6734, as metze and I made the same changes at theAndrew Bartlett3-51/+51
same time, but with different names. This just helps me avoid conflicts when I merge up my other changes. Andrew Bartlett (This used to be commit 27e6a853a5160cb1ad595bea25e891eeae439662)
2007-10-10r6734: most compiler don't like struct elements without a name...Stefan Metzmacher3-51/+51
metze (This used to be commit 0c1cd40bcea748d65938bb2dc8160ea07e9ec851)
2007-10-10r6733: GSS_C_DCE_STYLE is not available for most buildsStefan Metzmacher1-0/+5
metze (This used to be commit 3536029e8fb1da1ca689e0b7aa1f3edfb7967790)
2007-10-10r6730: register gensec_krb5 also with the drcrpc auth typeStefan Metzmacher1-0/+1
metze (This used to be commit 491d7804f5f5bdfb43ae09b81c2cbc34fab2246d)
2007-10-10r6729: Fix silly copy-paste bug spotted by metze.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 400899995b2c2ed54a114f8f55e5fb36592298b9)
2007-10-10r6728: Microsoft relies very strongly on getting the OIDs it expects, so weAndrew Bartlett1-1/+31
must register the 'MS' OID for the domain join to progress. Andrew Bartlett (This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
2007-10-10r6727: One more step down the long march to the 'Kerberos domain join'.Andrew Bartlett3-8/+350
This patch allows a suitably patched Heimdal GSSAPI library (detected in configure) to supply to us the session keys, and further compleats the gensec_gssapi module. This is tested for CIFS, but fails for LDAP at this point (that is what I'll work on next). We currently fill out the 'session info' from the SAM, like gensec_krb5 does, but both will need to use the PAC extraction functions in the near future. Andrew Bartlett (This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
2007-10-10r6711: Clarify that we are dealing with a salting principal in the kerberosAndrew Bartlett1-40/+60
code, which is certainly not in the form of machine$. Rework the default salt to match what I just added to the heimdal server (Samba4 is back on speaking terms with lorikeet heimdal now), from Luke Howard's post to samba-technical in Nov 2004. Now to test compatability with MS... Andrew Bartlett (This used to be commit d719a0093bfe37fc62f28c7c02f17f93eec16abf)
2007-10-10r6705: let the gensec module decide if messages can be signed and sealed in ↵Stefan Metzmacher2-0/+6
a different order than a strict request - reply sequence Note: we should also fix the client code... metze (This used to be commit 0a61d1f65150546f7a7582512ca010d156f963bf)
2007-10-10r6704: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit 9d86314c44ae8e1ec21653b21cc267bfac573445)