summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11993: As well as making an in-MEMORY keytab, allow a file-based keytab to ↵Andrew Bartlett1-98/+321
be updated. This allows a new password to be written in, and old entries removed (we keep kvno and kvno-1). Clean up the code a lot, and add comments on what it is doing... Andrew Bartlett (This used to be commit 0a911baabad60a43741269d29a96fdd74e54331a)
2007-10-10r11991: Null termainte the list of backends. (Makes it easier to walk the ↵Andrew Bartlett1-2/+2
list). Andrew Bartlett (This used to be commit fc4202dea88a72de061cb2e1caa7847fae37018f)
2007-10-10r11989: Rather than grabbing the machine account details at this point, grabAndrew Bartlett1-10/+1
them 'later'. We will need to handle the errors when we call the get_* methods. Andrew Bartlett (This used to be commit c6e572f87022b57cdfd8178eb5c23df67a92c453)
2007-10-10r11969: got rid of the very annoying 'failed to open /secrets.tdb'Andrew Tridgell1-1/+5
messages. As discussed with Andrew, this will soon be replaced with a system that marks the credentials to use the machine accout from the database rather than pre-loading the machine account details here. The reason we got the annoying messages is this was being called before smb.conf is loaded, so the code doesn't yet know the location of the private directory (This used to be commit 6aeb4bf3fe224a6f81962237bdda329ba828b493)
2007-10-10r11967: Fix more 64-bit warnings.Tim Potter1-4/+4
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
2007-10-10r11940: Love has clarified why this code does what it does.Andrew Bartlett1-8/+0
Andrew Bartlett (This used to be commit 9b3dedbc0bb12897a8f9bd4ec864de26b3835981)
2007-10-10r11929: Add static, comments.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 41f09ef9342d0c9f09475a189d2bbdb50e611528)
2007-10-10r11928: More Kerberos musings...Andrew Bartlett1-20/+64
Andrew Bartlett (This used to be commit 571f9c9c51b93946d23f2b35ef76ac881994b8cc)
2007-10-10r11601: try to fix the build on IRIX 6.5 us4Stefan Metzmacher1-0/+3
abartlet, tridge, lha: is there a better way? metze (This used to be commit b2b4969bdcdd85b1093d91184ff10eff9f74e550)
2007-10-10r11600: remove unused codeStefan Metzmacher2-1678/+0
metze (This used to be commit 06ccbc3fa99dc6396b2fe46adb51ef42431669eb)
2007-10-10r11599: remove local (and broken) version of strhaslower() strhasupper()Stefan Metzmacher1-24/+0
metze (This used to be commit 35e17abb8763e4d90725d007fefa76965260c124)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-10/+11
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett5-45/+67
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11538: More notes on things we need.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 890ad0412b9ee285fa25e8bab785a960a201057e)
2007-10-10r11537: Make the authsam_account_ok routine callable by external users (the ↵Andrew Bartlett1-19/+21
KDC). Andrew Bartlett (This used to be commit 1643ad169cff56f20ba03644dec12124139ac44a)
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-69/+105
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11522: Add support for delegated credentials and machine account credentialsAndrew Bartlett1-0/+20
to ldb, based on the sessionInfo we now pass around. Andrew Bartlett (This used to be commit 84e16e4ea7240409f15efd9f64344f9e0cec8111)
2007-10-10r11521: Add in client support for checking supportedSASLmechanisms, and thenAndrew Bartlett3-5/+74
determining a mechanism to use. Currently it doesn't to fallbacks like SPNEGO does, but this could be added (to GENSEC, not to here). This also adds a new function to GENSEC, which returns a list of SASL names in our preference order (currently determined by the build system of all things...). Also make the similar function used for OIDs in SPNEGO do the same. This is all a very long-winded way of moving from a hard-coded NTLM to GSS-SPNEGO in our SASL client... Andrew Bartlett (This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
2007-10-10r11520: indentAndrew Bartlett1-1/+1
(This used to be commit ce611eb5f31bc63fc23700e7a2c47e68b8f826aa)
2007-10-10r11514: Fixup debug messageAndrew Bartlett1-1/+1
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
2007-10-10r11470: To a server trusted for delegation (checked for in the gss libs),Andrew Bartlett1-1/+1
delegate by default. Andrew Bartlett (This used to be commit 49d489c81d5b5c86e032ed6edfda4590d1d1f2be)
2007-10-10r11468: Merge a bit more of init_sec_context from Heimdal CVS into ourAndrew Bartlett1-1/+8
DCE_STYLE modified version, and add parametric options to control delegation. It turns out the only remaining issue is sending delegated credentials to a windows server, probably due to the bug lha mentions in his blog (using the wrong key). If I turn delgation on in smbclient, but off in smbd, I can proxy a cifs session. I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix myself :-) Andrew Bartlett (This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett7-52/+178
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11441: Remove the auth_domain module from Samba4, as we will only do thingsAndrew Bartlett2-169/+0
via winbindd in Samba4. Andrew Bartlett (This used to be commit e63be25d0b6edbb17f0747663b0570145a4d55fb)
2007-10-10r11440: Actually check the right thing for 'is this a machine account' ↵Andrew Bartlett1-1/+1
(thanks metze). Andrew Bartlett (This used to be commit 848831a1559d6569359bd6fb4993ccbef6ad86d8)
2007-10-10r11414: Add passing around of logon_parameters to Samba4 auth_winbindAndrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 7e3c22f57be215b483ae15de4f754ed4188b5379)
2007-10-10r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett4-0/+19
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
2007-10-10r11400: fix compiler warningsStefan Metzmacher2-6/+6
metze (This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
2007-10-10r11399: Add another case where we need to fallback, if the KDC isn't there.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
2007-10-10r11394: Allow KDC unreachable as another 'forget about gssapi' error on SPNEGO.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
2007-10-10r11393: Avoid error messages and get more correctness with long plaintext ↵Andrew Bartlett1-14/+15
passwords. Andrew Bartlett (This used to be commit cb0b3c00572958f5ac8413cc651f627ca1871295)
2007-10-10r11382: Require number of required M4 macrosJelmer Vernooij2-8/+3
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM Add some more PUBLIC_HEADERS (This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
2007-10-10r11377: Add support for building LIBRARY elements as shared libraries:Jelmer Vernooij2-2/+5
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries. - Writes out pkg-config files when building shared libs - Supports automatic fallback to MERGEDOBJ (which is the default) or OBJ_LIST (if ld -r is not supported) Building with shared libs reduces the size of the Samba binaries from 197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging). To build with shared libraries support enabled, run: LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status init functions don't get called correctly yet when using shared libs, so you won't be able to actually run anything with success :-) Once init functions are done, I'll look at support for loading shared modules once again. Based on a patch by Peter Novodvorsky (nidd on IRC). (This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
2007-10-10r11370: Samba4 now passes it's own RPC-SAMLOGON test again.Andrew Bartlett3-3/+32
This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
2007-10-10r11366: Pass around the flags which indicate if we should support plaintextAndrew Bartlett4-13/+26
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2007-10-10r11358: Ensure domains are always upper-case as well. Helps NTLMv2.Andrew Bartlett1-1/+4
Andrew Bartlett (This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
2007-10-10r11350: Add some debugs to assist tracking down kerberos issues in future.Andrew Bartlett1-2/+26
(Make it easy to see what was put into the keytab, so we can tell when gssapi screams that it can't pull it out). Andrew Bartlett (This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
2007-10-10r11342: Remove unused variables.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
2007-10-10r11325: Fix up some kerberos notes.Andrew Bartlett1-15/+14
Andrew Bartlett (This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
2007-10-10r11315: Sorry gd, I just removed all of your code that I just merged...Andrew Bartlett1-2/+0
(We now ask the kerberos libraries to handle getting and unwapping the PAC). Andrew Bartlett (This used to be commit 6a0beb29da2aaa4d432cf9643924db3c2e77a858)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett4-139/+50
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11313: TypoAndrew Bartlett1-1/+1
(This used to be commit 204185576c6a4df5e43e5a97cb13227407c09e6e)
2007-10-10r11312: Make it clear we are looking at the 'domain ref', not the domainAndrew Bartlett1-18/+18
itself in the auth_sam module. Andrew Bartlett (This used to be commit 0800942dbb1511586a896c6376c436a4552c54be)
2007-10-10r11303: Support defining and installing public headers for libraries.Jelmer Vernooij1-2/+2
Support installing libraries. Get rid of pkg-config file (will be autogenerated later on). (This used to be commit b4745032a2c55752c527026feb221ccc3dce10c8)
2007-10-10r11293: Use the right search when forming the data for the PAC.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit ecacef213b28adb84d3ffb5b76bf1b079e25426c)
2007-10-10r11278: fix compiler warningsStefan Metzmacher1-14/+22
metze (This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
2007-10-10r11273: Initialise the new server_info->logon_server element.Andrew Bartlett2-0/+9
Andrew Bartlett (This used to be commit bc6f6f9381b1038273f87feb35484dc61dd8bd8e)
2007-10-10r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensureAndrew Bartlett4-90/+34
we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett3-88/+81
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij5-35/+39
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)