summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2010-10-02s4-gensec Always honour the set server principalAndrew Bartlett1-1/+1
The spengo code won't set this unless it is allowed to by this same option, but other callers may need it. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 02:27:39 UTC 2010 on sn-devel-104
2010-10-02s4-kerberos Don't regenerate key values for each alias in keytabAndrew Bartlett1-43/+35
Instead, store the same key value under the multiple alias names. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
2010-10-02s4-auth Add make_server_info_pac() to include 'resource domain' groupsAndrew Bartlett2-5/+40
Previously, our PAC code didn't include these groups into the server_info from which we would eventually calculate the full list of tokenGroups. Andrew Bartlett
2010-10-02s4-auth Allocate domain SIDs under the sids array, not server_infoAndrew Bartlett1-1/+1
Andrew Bartlett
2010-10-01s4-auth: fixed a vagrind error when creating keytabsAndrew Tridgell1-0/+3
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PACAndrew Tridgell1-0/+16
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-sam: fixed termination of krbtgt_attrs (comma and NULL)Andrew Tridgell1-4/+4
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett1-0/+1
Andrew Bartlett
2010-09-27s4-auth: removed unused variable dom_sidAndrew Tridgell1-1/+1
2010-09-28s4:gensec_tstream: remove plain socket handlingStefan Metzmacher1-124/+12
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 04:54:24 UTC 2010 on sn-devel-104
2010-09-28s4:gensec: add gensec_create_tstream()Stefan Metzmacher3-1/+764
Based on the initial patch from Andreas Schneider <asn@redhat.com>. metze
2010-09-26s4-gensec: fixed a valgrind error in gensecAndrew Tridgell1-12/+2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-26s4:schannel: handle move flag combinations in the serverStefan Metzmacher1-13/+23
This fixes some testsuites in the CIFS plugfest. metze
2010-09-26s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell3-19/+16
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-09-26s4-kerberos Don't segfault if the password isn't specified in keytab generationAndrew Bartlett1-0/+7
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Sep 26 03:29:34 UTC 2010 on sn-devel-104
2010-09-25s4-pycredentials: avoid a tallloc_free on refAndrew Tridgell1-1/+1
with the new py object structure, we need to unlink not free
2010-09-24s4-kerberos Rework keytab handling to export servicePrincipalName entriesAndrew Bartlett2-126/+164
This creates keytab entries with all the servicePrincipalNames listed in the secrets.ldb entry. Andrew Bartlett
2010-09-24s4-kerberos Move 'set key into keytab' code out of credentials.Andrew Bartlett5-208/+234
This code never really belonged in the credentials layer, and is easier done with direct access to the ldb_message that is in secrets.ldb. Andrew Bartlett
2010-09-24s4-kerberos Fix kerberos_enctype_bitmap_to_enctypes()Andrew Bartlett1-2/+3
The previous code never worked Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiationAndrew Tridgell1-7/+10
this is the client side equivalent change for the previous fix Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: prevent a double free in the error path of GSSAPI authAndrew Tridgell1-1/+0
the caller frees mem_ctx, so we shouldn't Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23s4-gensec: fixed a GSSAPI SASL negotiation bugAndrew Tridgell1-11/+14
Fixed a bug that affected mismatched negotiation between the GSSAPI layer and the SASL SSF subsequent negotiation. This caused some ldap clients to hang when trying to authentication with a Samba LDAP server. The client thought the connection should be signed, the server thought it should be in plain text Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-22s4-selftest: Move credentials tests to standard python directory.Jelmer Vernooij1-100/+0
2010-09-22s4-param: Fix more memory leaks, invalid memory context.Jelmer Vernooij3-19/+71
2010-09-22s4-param: Check type when converting python object to lp_ctx, fix someJelmer Vernooij3-4/+31
memory leaks.
2010-09-22pygensec: Implement start_mech_by_name().Jelmer Vernooij2-8/+30
2010-09-21s4-selftest: Move more tests to scripting/python, simplifies running of tests.Jelmer Vernooij2-72/+0
2010-09-16libcli/auth/ntlmssp Be clear about talloc parents for session keysAndrew Bartlett1-0/+5
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-16s4-kerberos: obey the credentials setting for forwardable ticketsAndrew Tridgell3-27/+40
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16s4-pycredentials: expose forwardable setting via pythonAndrew Tridgell1-0/+16
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16s4-credentials: added ability to control forwardable attribute on krb5 ticketsAndrew Tridgell2-0/+24
with the latest bind9 nsupdate, we need to be able to control if the ticket we use is forwardable Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-auth: allow multiple active auth backendsAndrew Tridgell1-35/+43
when we are an RODC we need to be able to allow multiple auth backends to process a single auth request. First the sam backend will try to authenticate, using locally stored passwords. If this backend can't find local passwords then it will try the winbind backend and authenticate via a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-rodc: add a trigger message for REPL_SECRET to auth_samAndrew Tridgell1-0/+52
when an RODC tries to authenticate against an account and the account has no password information it needs to send a message to the drepl server to tell it to try and replicate the secret information from a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-14s4: Fix two typosVolker Lendecke1-2/+2
2010-09-11s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a headerAndrew Bartlett2-1/+3
2010-09-11s4-credentials: get all attributes in cli_credentials_set_secrets()Andrew Tridgell1-17/+1
This ensures we get whenChanged, which is needed by the s3 winbind code to ensure we don't repeatedly try to change the password
2010-09-03s4:auth_winbind: use irpc_binding_handle_by_name()Stefan Metzmacher2-8/+8
metze
2010-09-03s4:auth_winbind: remove unused winbind_samba3 backendStefan Metzmacher2-122/+1
This uses the winbind protocol directly, which needs to be avoided! metze
2010-09-03s4:auth_winbind: fix segfault in winbind_check_password_wbclient()Stefan Metzmacher1-1/+5
We should only look at err if WBC_ERR_AUTH_ERROR is returned. metze
2010-09-03s4:auth_winbind: fix compiler warningsStefan Metzmacher1-4/+11
metze
2010-09-02s4-auth: make the disabled acct messages a bit less verboseAndrew Tridgell1-6/+6
raise the debug level Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-27s4:credentials_krb5.c - quiet a Solaris warningMatthias Dieter Wallnöfer1-1/+2
2010-08-26s4:ntlm/auth.c - add a whitespace in a debug outputMatthias Dieter Wallnöfer1-1/+1
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-11/+15
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:auth Change {anonymous,system}_session to use common session_info generationAndrew Bartlett1-4/+4
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett
2010-08-18s4:auth Avoid doing database lookups for NT AUTHORITY usersAndrew Bartlett2-108/+122
2010-08-18s4:auth Remove system_session_anon() from python bindingsAndrew Bartlett4-56/+3
2010-08-18s4:auth Remove the system:anonymous parameter used for the LDAP backendAndrew Bartlett1-10/+4
This isn't needed any more, and just introduces complexity.
2010-08-18s4:auth Remove special case constructor for admin_session()Andrew Bartlett1-63/+13
There isn't a good reason why this code is duplicated. Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-10/+5
This makes the structure more like Samba3's NT_USER_TOKEN