summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-1/+1
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6794: spellfixSimo Sorce1-3/+3
(This used to be commit f5956d150154cb4393dc323ae8ae1f936adee355)
2007-10-10r6793: Move auth_sam to use the dnsDomain rather than theAndrew Bartlett1-1/+1
soon-to-be-depricated 'realm'. Add torture test for this behaviour. Andrew Bartlet (This used to be commit 6b9020661a13fd5ec6c5d1e21344d9f654978987)
2007-10-10r6792: Allow a mech to fail on the first pass at the packet, and still fallAndrew Bartlett1-0/+2
back to the other options. Andrew Bartlett (This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
2007-10-10r6791: My early notes on the particular things I have discovered as I learnAndrew Bartlett1-0/+176
kerberos, and how Microsoft constructs their kerberos implementation. Andrew Bartlett (This used to be commit 5fa9be75d987af106fd798f6d5379b637a170b00)
2007-10-10r6767: Fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45a0692be10a03032f9a4e26da3de08696c03464)
2007-10-10r6740: make gensec_gssapi.c compile againAndrew Tridgell1-1/+1
(This used to be commit 6d15e9511115cc30ee213ec91320a2dccde15b8f)
2007-10-10r6738: My version of the patch by metze that I just reverted (-r 6734).Andrew Bartlett3-56/+83
This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2007-10-10r6737: Explain these error returns a bit better.Andrew Bartlett1-2/+5
Andrew Bartlett (This used to be commit 77d054c65aeecfc0d1156d750f7b8025cb154d3a)
2007-10-10r6736: Revert metze's -r 6734, as metze and I made the same changes at theAndrew Bartlett3-51/+51
same time, but with different names. This just helps me avoid conflicts when I merge up my other changes. Andrew Bartlett (This used to be commit 27e6a853a5160cb1ad595bea25e891eeae439662)
2007-10-10r6734: most compiler don't like struct elements without a name...Stefan Metzmacher3-51/+51
metze (This used to be commit 0c1cd40bcea748d65938bb2dc8160ea07e9ec851)
2007-10-10r6733: GSS_C_DCE_STYLE is not available for most buildsStefan Metzmacher1-0/+5
metze (This used to be commit 3536029e8fb1da1ca689e0b7aa1f3edfb7967790)
2007-10-10r6730: register gensec_krb5 also with the drcrpc auth typeStefan Metzmacher1-0/+1
metze (This used to be commit 491d7804f5f5bdfb43ae09b81c2cbc34fab2246d)
2007-10-10r6729: Fix silly copy-paste bug spotted by metze.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 400899995b2c2ed54a114f8f55e5fb36592298b9)
2007-10-10r6728: Microsoft relies very strongly on getting the OIDs it expects, so weAndrew Bartlett1-1/+31
must register the 'MS' OID for the domain join to progress. Andrew Bartlett (This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
2007-10-10r6727: One more step down the long march to the 'Kerberos domain join'.Andrew Bartlett3-8/+350
This patch allows a suitably patched Heimdal GSSAPI library (detected in configure) to supply to us the session keys, and further compleats the gensec_gssapi module. This is tested for CIFS, but fails for LDAP at this point (that is what I'll work on next). We currently fill out the 'session info' from the SAM, like gensec_krb5 does, but both will need to use the PAC extraction functions in the near future. Andrew Bartlett (This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
2007-10-10r6711: Clarify that we are dealing with a salting principal in the kerberosAndrew Bartlett1-40/+60
code, which is certainly not in the form of machine$. Rework the default salt to match what I just added to the heimdal server (Samba4 is back on speaking terms with lorikeet heimdal now), from Luke Howard's post to samba-technical in Nov 2004. Now to test compatability with MS... Andrew Bartlett (This used to be commit d719a0093bfe37fc62f28c7c02f17f93eec16abf)
2007-10-10r6705: let the gensec module decide if messages can be signed and sealed in ↵Stefan Metzmacher2-0/+6
a different order than a strict request - reply sequence Note: we should also fix the client code... metze (This used to be commit 0a61d1f65150546f7a7582512ca010d156f963bf)
2007-10-10r6704: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit 9d86314c44ae8e1ec21653b21cc267bfac573445)
2007-10-10r6703: fix the buildStefan Metzmacher1-1/+1
metze (This used to be commit 333f9bdf585db3df455009667d94deae568be02a)
2007-10-10r6701: Updates to our server-side ticket verification code, we now use theAndrew Bartlett1-57/+44
client credentials code to read the secrets.ldb. Also clean up error handling, and ensure to always set the last_error_message stuff. Andrew Bartlett (This used to be commit 435d229e5d1da349f00d80a36b599ae70468e99d)
2007-10-10r6700: Upper case realms in kerberos-specific parts of the code, as this isAndrew Bartlett1-1/+6
no longer done globally. This keeps MIT client libraries happy, because otherwise the windows KDC will return a different case to what was requested. Andrew Bartlett (This used to be commit 9098b9321f938473c367f906cfe2f001ca1d8e6a)
2007-10-10r6620: the type 23 schannel bind uses a workstation name, not an account nameAndrew Tridgell1-3/+6
(This used to be commit 250f1f69dd719a7981ec4c1698942b31826888d2)
2007-10-10r6610: Fix a const warning in the gensec spnego implementation. (A make protoTim Potter2-2/+2
is required after updating to this version). (This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett2-9/+5
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-5/+5
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r6522: I have no idea why this change was made, but it not only breaksAndrew Bartlett1-2/+1
connections to Win2k3, it doesn't match the well-known behaviour from samba3. Andrew Bartlett (This used to be commit 99c9afe45a345e78d7492fe01463922460d66e99)
2007-10-10r6521: Include system/network.h to fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45383f6cec3c380043be59f1e1c5bf82f3095abb)
2007-10-10r6498: Add comments in line with those I already added to 3.0.Andrew Bartlett1-0/+7
Please don't re-invent security=server :-) Andrew Bartlett (This used to be commit b3a38e9c8ce9758db31aec53db29290a240868be)
2007-10-10r6484: fix NTLMSSP client against w2k and w2k3Stefan Metzmacher1-0/+4
if we use lm_response = data_blob(NULL, 0); we got NT_STATUS_INVALID_PARAMETER (abartlet: we should maybe also give this error in our server code) metze (This used to be commit be5e301442c442a37bb6756d12b9f1452d634a17)
2007-10-10r6466: Spelling.Tim Potter1-1/+1
(This used to be commit 764b96792655be550d3c7065cb290bc6ea2b5133)
2007-10-10r6465: Use talloc_zero for the gensec_ntlmssp_state structure, as the historyAndrew Bartlett2-41/+6
of this code has too many pre-zeroed structure assumptions. Remove unused 'stub' functions Andrew Bartlett (This used to be commit 78dc57c65513ba4c271308d84fc2a2a533f76061)
2007-10-10r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundentAndrew Bartlett5-470/+419
struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2007-10-10r6463: Move NTLM2 and NTLM (v1) specific variables into a union for DCE/RPC.Andrew Bartlett3-69/+74
Andrew Bartlett (This used to be commit 227f2578da140067734f55b559760871ee4d0d12)
2007-10-10r6462: Move the arcfour sbox state into it's own structure, and allocate itAndrew Bartlett5-53/+29
with talloc() for the NTLMSSP system. Andrew Bartlett (This used to be commit 7a93ac49c28d433ccf0f077294f473fe728b9995)
2007-10-10r6460: Push the client credentials into NTLMSSP, allowing logins of the formAndrew Bartlett4-102/+92
user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2007-10-10r6458: Split up NTLMSSP into a new directory, and into seperate files for theAndrew Bartlett10-1620/+1668
client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2007-10-10r6455: Remove wrapper functions, and ntlmssp_end (which is well handed by ↵Andrew Bartlett1-41/+5
talloc() now). Andrew Bartlett (This used to be commit fc3e3653ebc3accf94f9264d2bbfe1cb71b017d0)
2007-10-10r6454: Start to migrate NTLMSSP away from it's own API to just use GENSEC.Andrew Bartlett9-569/+492
The aim here is to remove the extra layer of abstraction, and to then use the credentials code directly in the NTLMSSP layer. Andrew Bartlett (This used to be commit b14c530dfd3e56975dea7e30aa8d62d4f2827700)
2007-10-10r6453: Move verbose errors for the schannel 'not in the DB, or DB corrupt' ↵Andrew Bartlett1-2/+4
error cases. Andrew Bartlett (This used to be commit 24f98f32aae3b8c45283715b27fa67b1d2e5c0f2)
2007-10-10r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a fewTim Potter1-0/+1
weeks ago - weird. (This used to be commit 1738761d895461260dcba0dd81630cfa0ec43ae8)
2007-10-10r6340: - added an easy to use function to initialise a temporary ldb with ↵Andrew Tridgell1-0/+11
some ldif - init the schannel.ldb with some CASE_INSENSITIVE attributes (This used to be commit e6376b24303dc513e15c7e640c8c1c8d8ca11091)
2007-10-10r6322: Fix compile warning for struct sockaddr.Tim Potter1-0/+1
(This used to be commit 9c45f8d7bc21a4426091ea03f9f0681d7dad3edd)
2007-10-10r6128: fix the buildStefan Metzmacher1-2/+2
metze (This used to be commit 80593150341852af0816e69bd653c93228862e9b)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett27-3/+9962
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-1/+9
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett2-56/+7
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5985: Actually adding auth_domain.c in -r 5983 would probably have been aAndrew Bartlett1-0/+199
good idea.... Andrew Bartlett (This used to be commit 84b566a36bbe7101c5fbd90c131b13e6c259c990)
2007-10-10r5983: Start support for being a domain member in Samba4.Andrew Bartlett1-0/+12
This adds the auth_domain module to the auth subsystem, and cleans up some small details around the join process (ensuring all the right info is in the DB). Andrew Bartlett (This used to be commit 858cbfb8210239aa85a01da95e5beb9546a998a5)
2007-10-10r5895: Remove old auth_domain code - to be replaced with entirely new ↵Andrew Bartlett1-552/+0
implementation. Andrew Bartlett (This used to be commit a16339729d25fc5b12846207afe3800df7fca8d5)