summaryrefslogtreecommitdiff
path: root/source4/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r7980: Forgot to add kerberos_pac.c to this config.mk file.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit bba58a1876353effbef540dd0db9e66db5343c35)
2007-10-10r7979: Metze reminded me to try one more combination, and we can now verifyAndrew Bartlett1-32/+14
the 'PAC', required for interopability with Active Directory. This is still a cludge, as it doesn't handle different encryption types, but that should be fairly easy to fix (needs PIDL/IDL changes). Andrew Bartlett (This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
2007-10-10r7978: A start again on PAC verification. I have noticed that the kerberosAndrew Bartlett3-52/+43
keys appear at the end of the PAC, which I feel is deliberate (it makes this much easier). I still can't make it work, but I'm sure we are closer. Andrew Bartlett (This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
2007-10-10r7968: Pull the PAC from within GSSAPI, rather than only when using our ownAndrew Bartlett4-202/+277
'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
2007-10-10r7965: Remove the GENSEC password callback structure members, as these are noAndrew Bartlett2-5/+0
longer used. Andrew Bartlett (This used to be commit 14be7d95694dd7557af67dc94ee83a983d2f05f6)
2007-10-10r7935: auth_unix now uses crypt(), so depend on -lcrypt.Andrew Bartlett1-1/+1
This builds on the work tridge did to make -lcrypt conditional, rather than globally linked. This was needed for Heimdal stuff, but then I 'fixed' heimdal, and we now reintroduce it here. Andrew Bartlett (This used to be commit 83d9d8f4827280a68dfd07beccf2924c9e0825b0)
2007-10-10r7934: ported samba3 pass_check functions to auth_unix.cSimo Sorce1-5/+332
not having these platforms they are untested, let's hope the buildfarm can catch any problem (This used to be commit 08ec299dcbdc8dba12568b95b636866f147b2e7c)
2007-10-10r7863: removed an unused variableAndrew Tridgell1-1/+0
(This used to be commit 9ee3dbad6b0bc65f4f3ee64a52db765af8016738)
2007-10-10r7862: Updates to the Kerberos notes, based on recent changes and discoveries.Andrew Bartlett1-19/+90
Andrew Bartlett (This used to be commit 7d791d13bcd70288467bf3574d0394d34f973f18)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-8/+7
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the rightAndrew Bartlett2-31/+27
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett10-121/+322
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7757: Add NTLMv2 support to the NT1 Session setup (ie, not SPNEGO/NTLMSSP)Andrew Bartlett1-1/+2
Session Setup code. Add a mem_ctx argument to a few of the NTLMv2 support functions, and add smb.conf options to control client NTLMv2 behaviour. Andrew Bartlett (This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28)
2007-10-10r7704: - fixed open_nbt_connection() to return NULL when the connection failedAndrew Tridgell1-8/+8
- got rid of smbcli_shutdown() and use talloc_free() instead. (This used to be commit 1011b1bf51d420d6702ef448c894ea8ebeafa284)
2007-10-10r7690: Move the NT hash generation into the credentials system, rather thanAndrew Bartlett1-22/+21
in all the callers. This also allows us to be more flexible in the type of password we store. Andrew Bartlett (This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3)
2007-10-10r7687: Some more tests that must be done only when krb5_config is absent.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit 898f72d19654c68ba68d36a099bf4dbed5d09fe9)
2007-10-10r7638: krb5_closelog in heimdal-0.7 not longer leaks memory, so remove that ↵Love Hörnquist Åstrand1-4/+0
comment (This used to be commit 3aa80b8e585a0acc57d4b7738dcccfba232948ca)
2007-10-10r7637: Another useful Heimdal feature we need.Andrew Bartlett1-0/+5
Andrew Bartlett (This used to be commit 57ddedc954f49fd370225494758326fcbd0bb500)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell6-14/+48
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7597: removed the bogus get_myfullname() and get_mydomname() calls, and putAndrew Tridgell1-0/+56
them in the ntlmssp code, which is the only place they are used. Andrew, please remove them completely once you have some more reliable way to get this info they are bogus as gethostname() may give us a short hostname (and does on lot of systems), so the calls often give totally the wrong result anyway (This used to be commit 35ec292f86bf663618b4bd03133d9bbd6e2faf10)
2007-10-10r7536: doesn't spam the smbd_log in the build_farm...Stefan Metzmacher1-1/+1
metze (This used to be commit 9f4ed54c58a1d029b171ad199dd4a7ccf1f96f64)
2007-10-10r7509: With the update to Heimdal 20050612 we no longer need krb5_freelog(),Andrew Bartlett3-3/+2
as krb5_closelog() no longer leaks memory. Andrew Bartlett (This used to be commit b0bf8a4a5f04b65655f4005b27c80eb098039720)
2007-10-10r7352: the internal heimdal build change. This changes quite a few things:Andrew Tridgell3-4/+5
- if you want kerberos now, you need to unpack a lorikeet heimdal tree in source/heimdal/. If source/heimdal/ does not exist at configure time then all kerberos features are disabled. You cannot use an external kerberos library for now. That may change later. - moved lib/replace/ config stuff to lib/replace/ and create a lib/replace/replace.h. That allows the heimdal build to use our portability layer, and prevenets duplicate definitions of functions like strlcat() - if you do enable heimdal, then you will need to do 'make HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once I explain the problem to jelmer (the problem is the inability to set a depend without also dragging in the object list of the dependency. We need this for building the heimdal asn1 compiler and et compiler. - disabled all of the m4 checks for external kerberos libraries. I left them in place in auth/kerberos/, but disabled it in configure.in some of the heimdal_build/ code is still very rough, for example I don't correctly detect the correct awk, flex, bison replacements for heimdal_build/build_external.sh. I expect to fix that stuff up over the next few days. (This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
2007-10-10r7306: Use a consistant #define for detecting support for the Heimdal krb5Andrew Bartlett3-9/+9
log redirection code. Andrew Bartlett (This used to be commit 93335d587d9f48c46d9c3b91237f649693cf3003)
2007-10-10r7303: autodetect the libkdc and our kdc supportStefan Metzmacher1-7/+28
btw: I use this for configuring heimdal >>> CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \ CC=gcc-4.0 \ ./configure -C --prefix=$HOME/prefix/heimdal-test \ --sysconfdir=/etc \ --enable-shared=no \ --with-ldb=$HOME/prefix/ldb \ --without-openldap \ --without-openssl $@" echo $CONFIG eval $CONFIG >>> maybe you also want to use --disable-berkeley-db metze (This used to be commit 2aec140e00770df78ba31ef91109634ce0aa3d8a)
2007-10-10r7291: Additional notes on what we require from a kerberos implementation.Andrew Bartlett1-1/+36
Andrew Bartlett (This used to be commit a8d3493b6f7a0c28465b00bbadf24e152422e4b5)
2007-10-10r7285: It appears that MIT Kerberos does not have the log redirectionAndrew Bartlett3-2/+23
facility that I'm using. This should let us compile the non-KDC components on MIT again. Andrew Bartlett (This used to be commit ae9c2d2b54a979ab8467c847b62dd2c2a0fa059f)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett6-89/+159
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7269: talloc_steal() is preferred where possible, as it can't fail and doesAndrew Bartlett1-2/+2
not have some of the issues of talloc_reference(). Andrew Bartlett (This used to be commit 2fb413355a7cd7b5cee02237d2fbff91381435e5)
2007-10-10r7258: Fix the final linking error with libkdc - we need to link libhdb as well.Andrew Bartlett1-0/+1
With this fix, I can request tickets from our built-in KDC! Andrew Bartlett (This used to be commit d7cd76013bdf000831790b29b9d0b401151bf5c2)
2007-10-10r7257: Ensure the error message can never be uninitialised.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit fdd964582a4b102978fbc29dbf71de52bd30a155)
2007-10-10r7242: typoSimo Sorce1-1/+1
(This used to be commit 4444585f06cf8a061a615002107cbb7560604f7f)
2007-10-10r7241: The KDC almost links...Andrew Bartlett1-0/+5
Using current lorikeet/heimdal, and with the KDC module enabled (it is disabled by default), I almost get the KDC to link. (To enable the KDC for testing, comment out the only line in smbd/config.m4, and add 'kdc' to the 'server services' line in smb.conf). (This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)
2007-10-10r7240: Don't call our fancy error message routines on a null context.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 35877387c8e345d30d7598d1a139067a26cc1f7f)
2007-10-10r7233: what about filling that new element ?Simo Sorce1-0/+3
(This used to be commit 6a5e48c35cba801b16172cf6ff06b1d4116fb018)
2007-10-10r7232: add some more auth stuffSimo Sorce3-80/+442
enables us to authenticate against system users (only PAM support right now) (This used to be commit 0c894de58b7850a2905b73eb17c42d7e87cb9f87)
2007-10-10r7224: add some more usefull data to the auth_usersupplied_info structSimo Sorce2-5/+14
(This used to be commit e40c44e9cdc0be7c52207f8479568804e7d9cff2)
2007-10-10r7219: Don't allow 'binding' to be used uninitilaised.Andrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 3dd730fbc880ddc4f2efc6105cd21ec45f4afdd5)
2007-10-10r7218: Don't use an uninitialised variable in an error message.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 1f68cf7d0eb5de18da7f9d14c729caf314740601)
2007-10-10r6939: Get rid of SUBSYSTEM::NDR since all it did was require NDR_RAW.Tim Potter1-2/+2
(This used to be commit e077d9948f1406c61982d49c2fd925852fdf6553)
2007-10-10r6883: Move to what simo assures me is the 'correct' way to find the NetBIOSAndrew Bartlett1-12/+35
and long names for a domain. Add servicePrincipalName mapping table (administrator configurable), in the same spot as microsoft uses. Andrew Bartlett (This used to be commit c25e78b4b34384a3a79a920f50f01be696a048ba)
2007-10-10r6882: Put in configure tests and #ifdef to keep Samba building on older ↵Andrew Bartlett2-1/+4
Heimdal. Andrew Bartlett (This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
2007-10-10r6839: Add support for building subsystems as shared libraries. This can beJelmer Vernooij1-2/+2
done by setting: OUTPUT_TYPE = SHARED_LIBRARY in the [SUBSYSTEM::...] section belonging to a subsystem. The idea is to allow multiple values to OUTPUT_TYPE simultaneously (e.g. OUTPUT_TYPE = SHARED_LIBRARY, STATIC_LIBRARY, OBJLIST ) (This used to be commit b9d0ae93ba86fec0115f58e7940b2a6c908bc809)
2007-10-10r6838: Remove unnecessary calls to gensec_gsskrb5Jelmer Vernooij1-4/+0
Make the build system give a proper warning about this in the future (This used to be commit 2d980465af87d25ce17b8340c6b5f662ef29edd3)
2007-10-10r6819: More notes on krb5 requirementsAndrew Bartlett1-18/+66
Andrew Bartlett (This used to be commit dbd845998723987c75dc0e6a427330116dce0bf4)
2007-10-10r6810: Rename auth/{ntlmssp,gensec,kerberos} mk and m4 files to be calledTim Potter5-0/+5
config.mk and config.m4 to be consistent with the rest of Samba. (This used to be commit f377c71e4f0d60684326906dfb65e4581294ec34)
2007-10-10r6805: Remove two remaining references to gensec_gsskrb5Jelmer Vernooij2-5/+0
(This used to be commit a02e07739781eb00b521d050ab06d6b0aedf47bc)
2007-10-10r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. ThisAndrew Bartlett3-32/+11
should allow us to ditch the local static storage for OIDs, as well as fix the build on non-heimdal platforms. Andrew Bartlett (This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
2007-10-10r6801: It appears that krb5_make_principal, while convenient, is not portable.Andrew Bartlett1-4/+13
Andrew Bartlett (This used to be commit c8e8fa129ed0c80bcd289445935047c28d48da64)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett10-335/+557
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)