summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett4-0/+19
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
2007-10-10r11400: fix compiler warningsStefan Metzmacher2-6/+6
metze (This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
2007-10-10r11399: Add another case where we need to fallback, if the KDC isn't there.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
2007-10-10r11394: Allow KDC unreachable as another 'forget about gssapi' error on SPNEGO.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
2007-10-10r11393: Avoid error messages and get more correctness with long plaintext ↵Andrew Bartlett1-14/+15
passwords. Andrew Bartlett (This used to be commit cb0b3c00572958f5ac8413cc651f627ca1871295)
2007-10-10r11382: Require number of required M4 macrosJelmer Vernooij2-8/+3
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM Add some more PUBLIC_HEADERS (This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
2007-10-10r11377: Add support for building LIBRARY elements as shared libraries:Jelmer Vernooij2-2/+5
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries. - Writes out pkg-config files when building shared libs - Supports automatic fallback to MERGEDOBJ (which is the default) or OBJ_LIST (if ld -r is not supported) Building with shared libs reduces the size of the Samba binaries from 197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging). To build with shared libraries support enabled, run: LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status init functions don't get called correctly yet when using shared libs, so you won't be able to actually run anything with success :-) Once init functions are done, I'll look at support for loading shared modules once again. Based on a patch by Peter Novodvorsky (nidd on IRC). (This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
2007-10-10r11370: Samba4 now passes it's own RPC-SAMLOGON test again.Andrew Bartlett3-3/+32
This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
2007-10-10r11366: Pass around the flags which indicate if we should support plaintextAndrew Bartlett4-13/+26
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2007-10-10r11358: Ensure domains are always upper-case as well. Helps NTLMv2.Andrew Bartlett1-1/+4
Andrew Bartlett (This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
2007-10-10r11350: Add some debugs to assist tracking down kerberos issues in future.Andrew Bartlett1-2/+26
(Make it easy to see what was put into the keytab, so we can tell when gssapi screams that it can't pull it out). Andrew Bartlett (This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
2007-10-10r11342: Remove unused variables.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
2007-10-10r11325: Fix up some kerberos notes.Andrew Bartlett1-15/+14
Andrew Bartlett (This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
2007-10-10r11315: Sorry gd, I just removed all of your code that I just merged...Andrew Bartlett1-2/+0
(We now ask the kerberos libraries to handle getting and unwapping the PAC). Andrew Bartlett (This used to be commit 6a0beb29da2aaa4d432cf9643924db3c2e77a858)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett4-139/+50
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11313: TypoAndrew Bartlett1-1/+1
(This used to be commit 204185576c6a4df5e43e5a97cb13227407c09e6e)
2007-10-10r11312: Make it clear we are looking at the 'domain ref', not the domainAndrew Bartlett1-18/+18
itself in the auth_sam module. Andrew Bartlett (This used to be commit 0800942dbb1511586a896c6376c436a4552c54be)
2007-10-10r11303: Support defining and installing public headers for libraries.Jelmer Vernooij1-2/+2
Support installing libraries. Get rid of pkg-config file (will be autogenerated later on). (This used to be commit b4745032a2c55752c527026feb221ccc3dce10c8)
2007-10-10r11293: Use the right search when forming the data for the PAC.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit ecacef213b28adb84d3ffb5b76bf1b079e25426c)
2007-10-10r11278: fix compiler warningsStefan Metzmacher1-14/+22
metze (This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
2007-10-10r11273: Initialise the new server_info->logon_server element.Andrew Bartlett2-0/+9
Andrew Bartlett (This used to be commit bc6f6f9381b1038273f87feb35484dc61dd8bd8e)
2007-10-10r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensureAndrew Bartlett4-90/+34
we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett3-88/+81
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij5-35/+39
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-2/+1
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11226: Cope with Samba3's behaviour on LDAP with GSS-SPNEGO.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett5-29/+51
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11219: Now that we have the credentials hooked in here, we have a much moreAndrew Bartlett1-1/+10
reasonable value to fill in for the mechListMIC. Andrew Bartlett (This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
2007-10-10r11218: Always return the mutual authentication reply (needed for kpasswd),Andrew Bartlett1-45/+12
and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett4-47/+140
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.Andrew Bartlett1-27/+1
I'm also worried this might cause loops, if we get a 'force password change', and the prompter tries to 'deal with it'. Andrew Bartlett (This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij4-54/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11212: Enable sealing of data with raw krb5, consolidate some code into theAndrew Bartlett1-61/+63
main gensec_krb5_start and always ask for sequence numbers. Andrew Bartlett (This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
2007-10-10r11209: We can't read the priorSecret unless we ask for it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
2007-10-10r11204: Allow us to read credentials from secrets.ldb without aAndrew Bartlett1-6/+2
secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett10-280/+302
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r11199: Push an objectSid into the schannel state database, to match the new ↵Andrew Bartlett1-10/+2
header. Andrew Bartlett (This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
2007-10-10r11196: Clean up memory leaks (pointed out by vl), and handle the case whereAndrew Bartlett1-11/+47
the client doesn't guess correctly on the mech to use. It must back off and try the mech the server selected from the list. I'm not particularly attached to our SPNEGO parser, so while I can't easily use the SPNEGO application logic in Heimdal, I'm going to look closely at using the asn1 routines to avoid some pain here. Andrew Bartlett (This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
2007-10-10r11081: Remember to remove unused variables.Jeremy Allison1-1/+0
Jeremy. (This used to be commit bfa41398a65037c6017b0af0ea1f0423011df150)
2007-10-10r11080: Narrowing down on the #1828 PPC bug. The PPC client sends anJeremy Allison1-19/+7
initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy. (This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
2007-10-10r11076: Still working on bug #1828, PPC hell. The PPC client sends theJeremy Allison1-2/+12
NTLMSSP client and domain strings as Unicode, even when setting flags as OEM. Cope with this. Jeremy. (This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
2007-10-10r11058: remove useless talloc contextStefan Metzmacher1-4/+1
metze (This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76)
2007-10-10r11052: bring samba4 uptodate with the samba4-winsrepl branch,Stefan Metzmacher2-11/+0
before the bad merge metze (This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
2007-10-10r11037:Stefan Metzmacher2-0/+11
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
2007-10-10r10985: To aid in testing, this allows us to easily force kerberos to use ↵Andrew Bartlett1-5/+9
UDP or TCP. Andrew Bartlett (This used to be commit ae0b4028ff7033dab70687376c2090baa692cf58)
2007-10-10r10982: Move credentials.h into auth/credentials, and add flags needed byAndrew Bartlett1-0/+81
previous patch. Andrew Bartlett (This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)
2007-10-10r10981: Pull code to decide between and implement NTLMv2, NTLM and LMAndrew Bartlett4-139/+243
authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
2007-10-10r10945: Free the salt after we are done with it. May need a merge to similarAndrew Bartlett1-2/+4
code in Samba3. Andrew Bartlett (This used to be commit 36e302bac87d0a07c86cc4c841d376c778630dab)
2007-10-10r10913: This patch isn't as big as it looks ...Andrew Tridgell1-9/+9
most of the changes are fixes to make all the ldb code compile without warnings on gcc4. Unfortunately That required a lot of casts :-( I have also added the start of an 'operational' module, which will replace the timestamp module, plus add support for some other operational attributes In ldb_msg_*() I added some new utility functions to make the operational module sane, and remove the 'ldb' argument from the ldb_msg_add_*() functions. That argument was only needed back in the early days of ldb when we didn't use the hierarchical talloc and thus needed a place to get the allocation function from. Now its just a pain to pass around everywhere. Also added a ldb_debug_set() function that calls ldb_debug() plus sets the result using ldb_set_errstring(). That saves on some awkward coding in a few places. (This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
2007-10-10r10894: make the handling of dn/distinguishedName much closer to realAndrew Tridgell1-0/+1
ldap. Also ensure we put a objectclass on our private ldb's, so they have some chance of being stored in ldap if you want to (This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)