summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6728: Microsoft relies very strongly on getting the OIDs it expects, so weAndrew Bartlett1-1/+31
must register the 'MS' OID for the domain join to progress. Andrew Bartlett (This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
2007-10-10r6727: One more step down the long march to the 'Kerberos domain join'.Andrew Bartlett3-8/+350
This patch allows a suitably patched Heimdal GSSAPI library (detected in configure) to supply to us the session keys, and further compleats the gensec_gssapi module. This is tested for CIFS, but fails for LDAP at this point (that is what I'll work on next). We currently fill out the 'session info' from the SAM, like gensec_krb5 does, but both will need to use the PAC extraction functions in the near future. Andrew Bartlett (This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
2007-10-10r6711: Clarify that we are dealing with a salting principal in the kerberosAndrew Bartlett1-40/+60
code, which is certainly not in the form of machine$. Rework the default salt to match what I just added to the heimdal server (Samba4 is back on speaking terms with lorikeet heimdal now), from Luke Howard's post to samba-technical in Nov 2004. Now to test compatability with MS... Andrew Bartlett (This used to be commit d719a0093bfe37fc62f28c7c02f17f93eec16abf)
2007-10-10r6705: let the gensec module decide if messages can be signed and sealed in ↵Stefan Metzmacher2-0/+6
a different order than a strict request - reply sequence Note: we should also fix the client code... metze (This used to be commit 0a61d1f65150546f7a7582512ca010d156f963bf)
2007-10-10r6704: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit 9d86314c44ae8e1ec21653b21cc267bfac573445)
2007-10-10r6703: fix the buildStefan Metzmacher1-1/+1
metze (This used to be commit 333f9bdf585db3df455009667d94deae568be02a)
2007-10-10r6701: Updates to our server-side ticket verification code, we now use theAndrew Bartlett1-57/+44
client credentials code to read the secrets.ldb. Also clean up error handling, and ensure to always set the last_error_message stuff. Andrew Bartlett (This used to be commit 435d229e5d1da349f00d80a36b599ae70468e99d)
2007-10-10r6700: Upper case realms in kerberos-specific parts of the code, as this isAndrew Bartlett1-1/+6
no longer done globally. This keeps MIT client libraries happy, because otherwise the windows KDC will return a different case to what was requested. Andrew Bartlett (This used to be commit 9098b9321f938473c367f906cfe2f001ca1d8e6a)
2007-10-10r6620: the type 23 schannel bind uses a workstation name, not an account nameAndrew Tridgell1-3/+6
(This used to be commit 250f1f69dd719a7981ec4c1698942b31826888d2)
2007-10-10r6610: Fix a const warning in the gensec spnego implementation. (A make protoTim Potter2-2/+2
is required after updating to this version). (This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett2-9/+5
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-5/+5
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r6522: I have no idea why this change was made, but it not only breaksAndrew Bartlett1-2/+1
connections to Win2k3, it doesn't match the well-known behaviour from samba3. Andrew Bartlett (This used to be commit 99c9afe45a345e78d7492fe01463922460d66e99)
2007-10-10r6521: Include system/network.h to fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45383f6cec3c380043be59f1e1c5bf82f3095abb)
2007-10-10r6498: Add comments in line with those I already added to 3.0.Andrew Bartlett1-0/+7
Please don't re-invent security=server :-) Andrew Bartlett (This used to be commit b3a38e9c8ce9758db31aec53db29290a240868be)
2007-10-10r6484: fix NTLMSSP client against w2k and w2k3Stefan Metzmacher1-0/+4
if we use lm_response = data_blob(NULL, 0); we got NT_STATUS_INVALID_PARAMETER (abartlet: we should maybe also give this error in our server code) metze (This used to be commit be5e301442c442a37bb6756d12b9f1452d634a17)
2007-10-10r6466: Spelling.Tim Potter1-1/+1
(This used to be commit 764b96792655be550d3c7065cb290bc6ea2b5133)
2007-10-10r6465: Use talloc_zero for the gensec_ntlmssp_state structure, as the historyAndrew Bartlett2-41/+6
of this code has too many pre-zeroed structure assumptions. Remove unused 'stub' functions Andrew Bartlett (This used to be commit 78dc57c65513ba4c271308d84fc2a2a533f76061)
2007-10-10r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundentAndrew Bartlett5-470/+419
struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2007-10-10r6463: Move NTLM2 and NTLM (v1) specific variables into a union for DCE/RPC.Andrew Bartlett3-69/+74
Andrew Bartlett (This used to be commit 227f2578da140067734f55b559760871ee4d0d12)
2007-10-10r6462: Move the arcfour sbox state into it's own structure, and allocate itAndrew Bartlett5-53/+29
with talloc() for the NTLMSSP system. Andrew Bartlett (This used to be commit 7a93ac49c28d433ccf0f077294f473fe728b9995)
2007-10-10r6460: Push the client credentials into NTLMSSP, allowing logins of the formAndrew Bartlett4-102/+92
user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2007-10-10r6458: Split up NTLMSSP into a new directory, and into seperate files for theAndrew Bartlett10-1620/+1668
client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2007-10-10r6455: Remove wrapper functions, and ntlmssp_end (which is well handed by ↵Andrew Bartlett1-41/+5
talloc() now). Andrew Bartlett (This used to be commit fc3e3653ebc3accf94f9264d2bbfe1cb71b017d0)
2007-10-10r6454: Start to migrate NTLMSSP away from it's own API to just use GENSEC.Andrew Bartlett9-569/+492
The aim here is to remove the extra layer of abstraction, and to then use the credentials code directly in the NTLMSSP layer. Andrew Bartlett (This used to be commit b14c530dfd3e56975dea7e30aa8d62d4f2827700)
2007-10-10r6453: Move verbose errors for the schannel 'not in the DB, or DB corrupt' ↵Andrew Bartlett1-2/+4
error cases. Andrew Bartlett (This used to be commit 24f98f32aae3b8c45283715b27fa67b1d2e5c0f2)
2007-10-10r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a fewTim Potter1-0/+1
weeks ago - weird. (This used to be commit 1738761d895461260dcba0dd81630cfa0ec43ae8)
2007-10-10r6340: - added an easy to use function to initialise a temporary ldb with ↵Andrew Tridgell1-0/+11
some ldif - init the schannel.ldb with some CASE_INSENSITIVE attributes (This used to be commit e6376b24303dc513e15c7e640c8c1c8d8ca11091)
2007-10-10r6322: Fix compile warning for struct sockaddr.Tim Potter1-0/+1
(This used to be commit 9c45f8d7bc21a4426091ea03f9f0681d7dad3edd)
2007-10-10r6128: fix the buildStefan Metzmacher1-2/+2
metze (This used to be commit 80593150341852af0816e69bd653c93228862e9b)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett27-3/+9962
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-1/+9
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett2-56/+7
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5985: Actually adding auth_domain.c in -r 5983 would probably have been aAndrew Bartlett1-0/+199
good idea.... Andrew Bartlett (This used to be commit 84b566a36bbe7101c5fbd90c131b13e6c259c990)
2007-10-10r5983: Start support for being a domain member in Samba4.Andrew Bartlett1-0/+12
This adds the auth_domain module to the auth subsystem, and cleans up some small details around the join process (ensuring all the right info is in the DB). Andrew Bartlett (This used to be commit 858cbfb8210239aa85a01da95e5beb9546a998a5)
2007-10-10r5895: Remove old auth_domain code - to be replaced with entirely new ↵Andrew Bartlett1-552/+0
implementation. Andrew Bartlett (This used to be commit a16339729d25fc5b12846207afe3800df7fca8d5)
2007-10-10r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. TheseAndrew Bartlett1-4/+23
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell3-0/+3
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5137: fix typesStefan Metzmacher2-4/+4
metze (This used to be commit add1c579375d08040f722946da31ee3862f9e7ac)
2007-10-10r4955: fixed a couple of minor memory leaks in the auth_sam codeAndrew Tridgell1-1/+11
(This used to be commit 2eba223bda43a81e7aa795e58e551b0b556ddcfa)
2007-10-10r4758: - added async support to the session request codeAndrew Tridgell1-1/+1
- added async support to the negprot client code - removed two unused parameters from smbcli_full_connection() code - converted smbclient to use smbcli_full_connection() rather than reinventing everything itself (This used to be commit 71cbe2873473e039b4511511302cb63f1c50bce8)
2007-10-10r4620: - add interface functions to the auth subsystem so that callers ↵Stefan Metzmacher9-1361/+1038
doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2007-10-10r4591: - converted the other _p talloc functions to not need _pAndrew Tridgell1-1/+1
- added #if TALLOC_DEPRECATED around the _p functions - fixes the code that broke from the above while doing this I fixed quite a number of places that were incorrectly using the non type-safe talloc functions to use the type safe ones. Some were even doing multiplies for array allocation, which is potentially unsafe. (This used to be commit 6e7754abd0c225527fb38363996a6e241b87b37e)
2007-10-10r4566: Fix Samba4 to pass it's own RPC-SAMLOGON torture test.Andrew Bartlett1-26/+141
Include RPC-SAMLOGON in the list of tests expected to pass Remove silly extra loops from the RPC-SAMLOGON test, which mostly just slowed htings down. Andrew Bartlett (This used to be commit 518ca9fb695b0f9d480122a74a2159f7f17a3219)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett1-42/+63
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r4419: move security_token stuff to the libcli/security/Stefan Metzmacher1-116/+16
and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2007-10-10r4339: - rename auth_guest to auth_anonymousStefan Metzmacher3-62/+68
- don't use static const strings in the server_info - fix segfault when auth_sam gets "" as username metze (This used to be commit 7fcbd483d4977cf6483f34ddd28e6c0182897ba2)
2007-10-10r4151: added privilege attribute handling on samdb.Andrew Tridgell1-0/+8
pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell2-79/+58
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r4072: - changed the names of some of the well known sids to be more consistentAndrew Tridgell1-3/+3
- added string constants for the important privileges. (This used to be commit d5bc706140faf2d0a917f90f87884cd097e8a48c)