summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23136: Set the event context onto the credentials in more places.Andrew Bartlett1-0/+1
This helps ensure that the kerberos code uses the right event context. Andrew Bartlett (This used to be commit cbdce358ae8f86c9b76a50537b931e56b07ee213)
2007-10-10r23132: Resolve an issue where we would use the ccache after we free()ed it.Andrew Bartlett2-31/+64
The problem was, we would set the ccache, then invalidate it as we set details from it (like the principal name from the ccache). Instead, set the ccache onto the credentials structure after we are done processing it. Andrew Bartlett (This used to be commit d285bd927c604d930fc44cc84ef3321aa4ce9d9a)
2007-10-10r23063: Make sure to invalidate the ccache when we set aAndrew Bartlett3-6/+70
username/password/realm/etc from the command line. Also make sure it can't 'come back' from a later call to cli_credentials_guess(), buy setting a threshold. This should fix the issues with the build farm... Andrew Bartlett (This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1)
2007-10-10r23036: error checking on asn1_init() failureAndrew Tridgell2-2/+22
(This used to be commit 26cf8494084c0106ef0e1c9b6ef40eeadf945ef2)
2007-10-10r23034: Thanks to metze for providing some vital clues in the 'kerberos ccacheAndrew Bartlett1-2/+6
on credentials don't do anything' bug. The problem was simple, we didn't set the ccache as having been initialised, so we always created a new one. Andrew Bartlett (This used to be commit ec2014f08b0845bc8aa0e8e6713bc4b21f430811)
2007-10-10r23030: finally fixed up our asn1 code to use better memory allocation. ThisAndrew Tridgell3-75/+68
should allow us to fix some long standing memory leaks. (This used to be commit 3db49c2ec9968221c1361785b94061046ecd159d)
2007-10-10r22990: free temporary memory also on success...Stefan Metzmacher1-0/+1
metze (This used to be commit 876a6ef4857a73987d1eba127161993cf07a613b)
2007-10-10r22987: Clarify how the events are handled in the kerberos code, andAndrew Bartlett1-7/+17
standardise with the rest of the code. Andrew Bartlett (This used to be commit 3aa9d70723d4377d29e33281b640499193b06c69)
2007-10-10r22969: fix some more places where we could end up with more than one eventAndrew Tridgell6-4/+31
context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17)
2007-10-10r22967: Move to the TCP packet interface for the krb5_send_to_kdc plugin.Andrew Bartlett1-108/+95
This replaces a lump of hand-crafted code with the generic packet system used in the rest of Samba4. (I started this while chasing down the epoll bug, which turned out to be seperate) (This used to be commit 2a7dec4e5dc453f509493f80fc1270416f30a36e)
2007-10-10r22966: Make sure to return LOGON_FAILURE if the user's kerberos password isAndrew Bartlett3-6/+15
incorrect. Andrew Bartlett (This used to be commit 9dc6f36e43170bc5bf4f94d893b5a3689460d237)
2007-10-10r22961: use EVENT_FD_AUTOCLOSE and SOCKET_FLAG_NOCLOSE to fix up some hairyAndrew Tridgell1-1/+4
problems with order of socket closing in krb5 (This used to be commit 46a7d83c2b49798c6c5389c13ec2b9785c47b85b)
2007-10-10r22748: fix memleaks by passing an mem_ctx toStefan Metzmacher1-4/+4
irpc_servers_byname() metze (This used to be commit b54584dfabee77ec7743cab431bda9765057a295)
2007-10-10r22635: make it possible to not turn off dns canonicalization of hostnamesStefan Metzmacher2-2/+3
with krb5:set_dns_canonicalize=yes needed for the drsuapi replication, but we should fix this with a kdc locator plugin ... metze (This used to be commit f0a12355bcfab47663e62f3d8ae820815210cdc5)
2007-10-10r22627: fix crash msgs_tmp isn't always initializedStefan Metzmacher1-1/+1
and we don't need an extra allocated string anyway metze (This used to be commit 44c27b2fe6f130332d9f7c6bdd901eb025aa3eff)
2007-10-10r22621: fix the 'sam' auth moduleStefan Metzmacher1-33/+18
metze (This used to be commit 255acbb1132891e0316a38f1d4721863bb7a7226)
2007-10-10r22602: s/HAVE_SOCKET_IPV6/HAVE_IPV6/ to match the define used by Heimdal.Jelmer Vernooij1-1/+1
(This used to be commit 5ff665b6531fdb4c7e56c49b7f923546d93b384c)
2007-10-10r22594: This helped coax out valgrind errors last night, but we don't need ↵Andrew Bartlett1-2/+0
it any more. Andrew Bartlett (This used to be commit 367231ea2103b6442ecf8333cb7150dfd98c79f4)
2007-10-10r22582: Cleanups towards making winbind work again. We still have a long ↵Andrew Bartlett1-2/+5
way to go, as this has bitrotted over the past months. This change in particular catches winbind up with the next composite_create() function. We also needed to remove an unused flags field, and fill in the lm response. Andrew Bartlett (This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea)
2007-10-10r22558: Move to a static list of enctypes to put into our keytab. In future,Andrew Bartlett2-63/+74
I'll allow this to be configured from the secrets.ldb, but it should fix some user issues. Andrew Bartlett (This used to be commit 0fd74ada220fb07d4ebe8c2d9b8ae50a387c2695)
2007-10-10r22404: more dependencies which should be privateStefan Metzmacher3-12/+10
metze (This used to be commit e0e35965d1eaab182941d17da744b70c4234ca52)
2007-10-10r22397: hopefully fix the build on some aix hosts in the build-farmStefan Metzmacher1-1/+1
we need to make sure -Iheimdal/lib/gssapi comes before -I/usr/local/include metze (This used to be commit a6ba465fa8b0a4a0835593526d3f2670736c2c8e)
2007-10-10r22387: see if this fixes the build on the aix1 hostsStefan Metzmacher1-1/+1
metze (This used to be commit fbf1b1bfa015e2126102d8eaf8861d779c21d969)
2007-10-10r22385: remove unused includeStefan Metzmacher1-1/+0
metze (This used to be commit c8a210bc6fa2529944bb1303ba06fe0734bdd23e)
2007-10-10r22294: Lock the delegated credentials to being kerberos only, we just don'tAndrew Bartlett1-0/+6
have the data for anything else. Andrew Bartlett (This used to be commit 9e0c0cd0ff678388436430bb1ba4eb7595cbefbd)
2007-10-10r22293: Try to make it more clear what failed to parse.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 144ab7294d76397a5e6662d344105a0d59c9f423)
2007-10-10r22208: Print the target principal name, to help with kdc unreachable errors.Andrew Bartlett1-7/+4
Andrew Bartlett (This used to be commit bbde5b6a2f85f22110d6840857eaceb6b923c1b4)
2007-10-10r22199: fix typoStefan Metzmacher1-2/+2
metze (This used to be commit 4e8f844be939a6e11a3bece4e7e66534fce00cc0)
2007-10-10r22187: Test kerberos logins in the smbclient blackbox tests, including with aAndrew Bartlett1-0/+4
machine account. Andrew Bartlett (This used to be commit 16a2bb87a80ffb921f267492f453eb3457666315)
2007-10-10r22115: I don't like the DOMAIN environment variable. It really isn't a goodAndrew Bartlett1-4/+0
match for what we are using it for here. Andrew Bartlett (This used to be commit 305d1421efff3f01db1dce499568874965058e79)
2007-10-10r21736: Fix the smbclient test to do something more interesting with the lastAndrew Bartlett3-4/+5
few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa)
2007-10-10r21668: Add SMB_QFS_POSIX_WHOAMI to trans2.h so it's easy to find. AddJames Peach1-0/+15
convenience API to create an anonymous credential. Don't clobber cmdline_credentials in the UNIX-WHOAMI test. (This used to be commit 73cea4e0c66f57057ed12b07bbb94b4e783ba6bf)
2007-10-10r21451: if kerberos is requested ( -k yes ), we should use authentificated ↵Stefan Metzmacher1-0/+5
connections metze (This used to be commit 426238eb45f0cc41d99961ac554c2528fd8e96f5)
2007-10-10r21434: - get rid of "krb5Key"Stefan Metzmacher1-1/+1
- use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
2007-10-10r21362: rename:Stefan Metzmacher2-4/+4
"ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
2007-10-10r21314: add more usefull debug outputStefan Metzmacher1-6/+6
metze (This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a)
2007-10-10r21175: Fix the kerberos keytab update code to handle deletes.Andrew Bartlett1-3/+2
Fix the join code to know that the ldb layer handles the keytab update. Andrew Bartlett (This used to be commit d3fbc089f4161ae71b21077d50130fdabd8b2d77)
2007-10-10r21142: fix compiler warningsStefan Metzmacher1-0/+1
metze (This used to be commit 1f8a037ac4f592d29f7d66e1f924efe1c5d8c2b0)
2007-10-10r21135: Instead of having hooks to update keytabs as an explicit thing, updateAndrew Bartlett2-75/+18
them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
2007-10-10r21039: Test some more failure paths (trying to increase the lcov score).Andrew Bartlett1-5/+0
Andrew Bartlett (This used to be commit 76812a0337fbfcb19939c6ee7a57975b6d690a4d)
2007-10-10r20988: Call out to Heimdal's krb5.conf processing to configure many aspectsAndrew Bartlett1-1/+28
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
2007-10-10r20949: Looking over some lcov output, try and walk some error paths.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 9ed9a032c249461e69242afc2e0ccdd47524064e)
2007-10-10r20646: first preparations for cluster enablement. This changes "Andrew Tridgell1-2/+2
uint32_t server_id to struct server_id server_id; which allows a server ID to have an node number. The node number will be zero in non-clustered case. This is the most basic hook needed for clustering, and ctdb. (This used to be commit 2365abaa991d57d68c6ebe9be608e01c907102eb)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-2/+0
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20520: allow the caller to pass NULL if it doesn't want a session infoStefan Metzmacher1-3/+10
this can be used when we start to support the FAST BIND LDAP Control metze (This used to be commit 0a73d3262d5deb5a9d0052751336413fbea370b1)
2007-10-10r20352: Use the common function to find the DN for a domain.Andrew Bartlett1-6/+3
Andrew Bartlett (This used to be commit 929fd1beee5cab647702a9b8d8d5e4c2aab23d11)
2007-10-10r20275: we should check for the oid the caller gave us!Stefan Metzmacher1-1/+1
metze (This used to be commit 4b9e196288f2deb3594db9ba2dd36d774e774574)
2007-10-10r20274: add missing return statement and make it more explicit that we ↵Stefan Metzmacher1-2/+3
return a NULL DATA_BLOB metze (This used to be commit 7256481f08b5e860308e73c2b51926b55b1f4c43)
2007-10-10r20258: add functions to read and write asn1 encoded OID strings without ↵Stefan Metzmacher1-5/+5
leading tag metze (This used to be commit 576d4c54cca844164b90e5d6ec71fe44b59607b7)
2007-10-10r20149: Remove the smb.conf distinction between PDC and BDC. Now the correctAndrew Bartlett1-4/+2
way to setup a Samba4 DC is to set 'server role = domain controller'. We use the fSMORoleOwner attribute in the base DN to determine the PDC. This patch is quite large, as I have corrected a number of places that assumed taht we are always the PDC, or that used the smb.conf lp_server_role() to determine that. Also included is a warning fix in the SAMR code, where the IDL has seperated a couple of types for group display enumeration. We also now use the ldb database to determine if we should run the global catalog service. In the near future, I will complete the DRSUAPI DsGetDomainControllerInfo server-side on the same basis. Andrew Bartlett (This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)