summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21434: - get rid of "krb5Key"Stefan Metzmacher1-1/+1
- use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
2007-10-10r21362: rename:Stefan Metzmacher2-4/+4
"ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
2007-10-10r21314: add more usefull debug outputStefan Metzmacher1-6/+6
metze (This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a)
2007-10-10r21175: Fix the kerberos keytab update code to handle deletes.Andrew Bartlett1-3/+2
Fix the join code to know that the ldb layer handles the keytab update. Andrew Bartlett (This used to be commit d3fbc089f4161ae71b21077d50130fdabd8b2d77)
2007-10-10r21142: fix compiler warningsStefan Metzmacher1-0/+1
metze (This used to be commit 1f8a037ac4f592d29f7d66e1f924efe1c5d8c2b0)
2007-10-10r21135: Instead of having hooks to update keytabs as an explicit thing, updateAndrew Bartlett2-75/+18
them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
2007-10-10r21039: Test some more failure paths (trying to increase the lcov score).Andrew Bartlett1-5/+0
Andrew Bartlett (This used to be commit 76812a0337fbfcb19939c6ee7a57975b6d690a4d)
2007-10-10r20988: Call out to Heimdal's krb5.conf processing to configure many aspectsAndrew Bartlett1-1/+28
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
2007-10-10r20949: Looking over some lcov output, try and walk some error paths.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 9ed9a032c249461e69242afc2e0ccdd47524064e)
2007-10-10r20646: first preparations for cluster enablement. This changes "Andrew Tridgell1-2/+2
uint32_t server_id to struct server_id server_id; which allows a server ID to have an node number. The node number will be zero in non-clustered case. This is the most basic hook needed for clustering, and ctdb. (This used to be commit 2365abaa991d57d68c6ebe9be608e01c907102eb)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-2/+0
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20520: allow the caller to pass NULL if it doesn't want a session infoStefan Metzmacher1-3/+10
this can be used when we start to support the FAST BIND LDAP Control metze (This used to be commit 0a73d3262d5deb5a9d0052751336413fbea370b1)
2007-10-10r20352: Use the common function to find the DN for a domain.Andrew Bartlett1-6/+3
Andrew Bartlett (This used to be commit 929fd1beee5cab647702a9b8d8d5e4c2aab23d11)
2007-10-10r20275: we should check for the oid the caller gave us!Stefan Metzmacher1-1/+1
metze (This used to be commit 4b9e196288f2deb3594db9ba2dd36d774e774574)
2007-10-10r20274: add missing return statement and make it more explicit that we ↵Stefan Metzmacher1-2/+3
return a NULL DATA_BLOB metze (This used to be commit 7256481f08b5e860308e73c2b51926b55b1f4c43)
2007-10-10r20258: add functions to read and write asn1 encoded OID strings without ↵Stefan Metzmacher1-5/+5
leading tag metze (This used to be commit 576d4c54cca844164b90e5d6ec71fe44b59607b7)
2007-10-10r20149: Remove the smb.conf distinction between PDC and BDC. Now the correctAndrew Bartlett1-4/+2
way to setup a Samba4 DC is to set 'server role = domain controller'. We use the fSMORoleOwner attribute in the base DN to determine the PDC. This patch is quite large, as I have corrected a number of places that assumed taht we are always the PDC, or that used the smb.conf lp_server_role() to determine that. Also included is a warning fix in the SAMR code, where the IDL has seperated a couple of types for group display enumeration. We also now use the ldb database to determine if we should run the global catalog service. In the near future, I will complete the DRSUAPI DsGetDomainControllerInfo server-side on the same basis. Andrew Bartlett (This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
2007-10-10r20135: attach default gensec features to the cli_credentials structure,Stefan Metzmacher3-0/+16
so make it possible to force encryption or signing. metze (This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa)
2007-10-10r20108: match w2k3 and send 1.2.840.48018.1.2.2 before 1.2.840.113554.1.2.2Stefan Metzmacher1-1/+1
to work better against w2k, so we don't get redirected from 1.2.840.113554.1.2.2 to 1.2.840.48018.1.2.2 by a w2k server, causing 2 additional auth roundtrips. metze (This used to be commit fa5c942ee99d3b5779598aa75f71d0317ba3f622)
2007-10-10r20107: don't segfault when the server didn't send a supportedMech in a ↵Stefan Metzmacher1-0/+1
negTokenTarg this happens because we send 1.2.840.113554.1.2.2 before 1.2.840.48018.1.2.2 in the negTokenInit. And w2k's spnego code redirects us to use 1.2.840.48018.1.2.2 and then we start the our spnego engine with 1.2.840.48018.1.2.2 and in the then following negTokenTarg w2k don't send the supportedMech (which means it aggrees in what we've choosen) metze (This used to be commit 5af5488593991ab4a2a8e17d38501ad9ec539020)
2007-10-10r20034: Start using ldb_search_exp_fmt()Simo Sorce1-11/+3
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
2007-10-10r20010: cosmetic fixStefan Metzmacher1-1/+1
metze (This used to be commit 9c992a39db32cbe35f0ecb8fe98223bb24a1e973)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce4-8/+8
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce4-9/+9
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19805: Add the (harmless, but apparently default)Andrew Bartlett3-2/+10
NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set. Andrew Bartlett (This used to be commit 04709c75afda0234c7236fba674bf53a265f8dbb)
2007-10-10r19677: Fix more dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 17c2557834aad8c85fb640054c942f99bbce1d94)
2007-10-10r19676: Fix some more dependencies.Jelmer Vernooij4-6/+6
(This used to be commit 8768bec81f57131a0c9754e8121b345c0be4a5d0)
2007-10-10r19674: auth didn't depdend on process_model!Stefan Metzmacher1-1/+1
metze (This used to be commit 30963753fcd9d8db17ca5c8476cc85b7084b7e87)
2007-10-10r19670: Reduce the number of unresolved symbols when building with shared ↵Jelmer Vernooij1-1/+1
libraries. (This used to be commit 4422031d1d9307539832cee165c5071ff12943e7)
2007-10-10r19664: fix compiler warnings...Stefan Metzmacher2-19/+19
should _krb5_find_type_in_ad() also take a const? metze (This used to be commit addc31bd9309cb2b41cbb548c82c80de1cf96c4f)
2007-10-10r19660: Forgot to tell gsskrb5 not to canonicalize hostnames. Shoudl fixAndrew Bartlett1-0/+8
valrind issues on fort, because we won't hit NSS any more. Andrew Bartlett (This used to be commit 6f67fa01ab4f946c9a9aae0d4e8d028153873e04)
2007-10-10r19650: Allow Samba to use Heimdal's SPNEGO code. Currently this can onlyAndrew Bartlett1-9/+49
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend by some means or other. Andrew Bartlett (This used to be commit 476452e143f61a3878a3646864729daaddccdf68)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett1-0/+18
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19635: It appears that under CFX, different keys are used in each directionAndrew Bartlett1-3/+3
(or something like that). In any case, we need to stick with the initiator subkey for now, until we figure out what Vista uses for the CIFS session key. Andrew Bartlett (This used to be commit b91a921e1393581ca0102ad1f49a1075acb91b4e)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett5-134/+146
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19629: No need to special case use of DCE_STYLE sign and seal away any more...Andrew Bartlett1-9/+0
Andrew Bartlett (This used to be commit 247b9f1ca907cf921087e6840400ddf68289b8f2)
2007-10-10r19628: This hint via Love at the IETF meeting:Andrew Bartlett1-0/+3
Larry told me that most context flags needed to be set to, otherwise it wouldn't work. This fixes DCE_STYLE against Win2k3 SP1. It seems they just tightened up their end of the GSSAPI code, as DCE_STYLE is explicity rejected in the session setup too (being the wrong layer). Andrew Bartlett (This used to be commit b2b77f34a4d0cebb828cac7bf9a73826fecab5b6)
2007-10-10r19614: fix compiler warningsStefan Metzmacher1-0/+2
metze (This used to be commit 1ca8651a59e95eeca2942e5e66c2141e3f65dd9f)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett7-117/+159
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett34-45/+108
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19597: Ahead of the merge to current lorikeet-heimdal:Andrew Bartlett1-59/+67
Supply the correct OID to the error display functions. Rework the session key functions. Andrew Bartlett (This used to be commit 363628c13f4e4a8904802dcf4d80e296ed2f9e02)
2007-10-10r19595: Seperate debug messages between database failure and simple lack ofAndrew Bartlett1-2/+9
records. Andrew Bartlett (This used to be commit 163f75372792b0afa72f48d64d78d82b72d8eda5)
2007-10-10r19573: Move secrets.o into param/ (subsystems haven't been integrated yet).Jelmer Vernooij1-1/+1
(This used to be commit 8143de855c0b65346b2d8e59ecdb78952927de4a)
2007-10-10r19568: When we get back a skew error, try with no skew. This allows us toAndrew Bartlett2-42/+50
recover from inheriting an invalid skew from a ccache. Andrew Bartlett (This used to be commit 4881f0583dd42083bb2bc2eeca32316f890c4804)
2007-10-10r19566: Predeclare some useful structures.Andrew Bartlett1-0/+3
(This used to be commit 160a59f0733a90db157ad48747c7fb72c2912829)
2007-10-10r19523: Remove unused functions.Andrew Bartlett1-152/+0
Andrew Bartlett (This used to be commit 3a3c1040a97e1d7d64e9e151ea4e1af79dcb976e)
2007-10-10r19507: Merge my DSO fixes branch. Building Samba's libraries as shared ↵Jelmer Vernooij4-5/+7
libraries works again now, by specifying --enable-dso to configure. (This used to be commit 7a01235067a4800b07b8919a6a475954bfb0b04c)
2007-10-10r19489: Change ldb_msg_add_value and ldb_msg_add_empty to take a foruth ↵Simo Sorce1-4/+4
argument. This is a pointer to an element pointer. If it is not null it will be filled with the pointer of the manipulated element. Will avoid double searches on the elements list in some cases. (This used to be commit 0fa5d4bc225b83e9f63ac6d75bffc4c08eb6b620)
2007-10-10r19465: Rather than use the non-standard API for determining the signatureAndrew Bartlett1-55/+8
length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
2007-10-10r19339: Merge my 4.0-unittest branch. This adds an API for more fine-grainedJelmer Vernooij1-1/+1
output in the testsuite rather than just True or False for a set of tests. The aim is to use this for: * known failure lists (run all tests and detect tests that started working or started failing). This would allow us to get rid of the RPC-SAMBA3-* tests * nicer torture output * simplification of the testsuite system * compatibility with other unit testing systems * easier usage of smbtorture (being able to run one test and automatically set up the environment for that) This is still a work-in-progress; expect more updates over the next couple of days. (This used to be commit 0eb6097305776325c75081356309115f445a7218)