| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
|
|
metze
(This used to be commit 344367cc4cdb232c394ce45ab64cc357cce4259f)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
GENSEC.
Andrew Bartlett
(This used to be commit c7acea9d5a097b51693f41de93274b857f7be0e3)
|
|
.enabled = True
on modules we know are good (and we want on be default) seems neater.
Andrew Bartlett
(This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
|
|
definition, not by hardcoded reference in loadparm.c
Andrew Bartlett
(This used to be commit 43558eaf7604d2bb0187e0d1ba0686935a965ad7)
|
|
In developing a GSSAPI plugin for GENSEC, it became clear that the API
needed to change:
- GSSAPI exposes only a wrap() and unwrap() interface, and determines
the location of the signature itself.
- The 'have feature' API did not correctly function in the recursive
SPNEGO environment.
As such, NTLMSSP has been updated to support these methods.
The LDAP client and server have been updated to use the new wrap() and
unwrap() methods, and now pass the LDAP-* tests in our smbtorture.
(Unfortunely I still get valgrind warnings, in the code that was
previously unreachable).
Andrew Bartlett
(This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
|
|
favor of talloc_free().
Andrew Bartlett
(This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478)
|
|
- Update Samba4's kerberos code to match the 'salting' changes in
Samba3 (and many other cleanups by jra).
- Move GENSEC into the modern era of talloc destructors. This avoids
many of the memory leaks in this code, as we now can't somehow
'forget' to call the end routine.
- This required fixing some of the talloc hierarchies.
- The new krb5 seems more sensitive to getting the service name
right, so start actually setting the service name on the krb5 context.
Andrew Bartlett
(This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
|
|
this will be used by krb5 dcerpc auth
metze
(This used to be commit 04dc7fb9b24a1e38f31559ec6032701a176209ae)
|
|
the backend what is actually in use
metze
(This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737)
|
|
(This used to be commit b0f6e21481745d1b2ced28d9ed6f09f6ffd99562)
|
|
metze
(This used to be commit 6a7eee1d9917e0884072354dddae568645798da5)
|
|
- Re-disable tdbtool (it was building fine on my Debian box but other
machines were having problems)
(This used to be commit 0d7bb2c40b7a9ed59df3f8944133ea562697e814)
|
|
(This used to be commit 891e3097ee00d75f8f28efcccd8c15cd08b80e88)
|
|
Both subsystems and modules can now have init functions, which can be
specified in .mk files (INIT_FUNCTION = ...)
The build system will define :
- SUBSYSTEM_init_static_modules that calls the init functions of all statically compiled modules. Failing to load will generate an error which is not fatal
- BINARY_init_subsystems that calls the init functions (if defined) for the subsystems the binary depends on
This removes the hack with the "static bool Initialised = " and the
"lazy_init" functions
(This used to be commit 7a8244761bfdfdfb48f8264d76951ebdfbf7bd8a)
|
|
- tidied up some of the system includes
- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
knows about inter-IDL dependencies
(This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
|
|
were also gensec bugs that didn't turn up until we hit error paths in
the krb5 code.
Andrew Bartlett
(This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
|
|
connection
metze
(This used to be commit 30aa8af04498d674dbcf428a9e62df9055f53ea2)
|
|
though to the sign/check_sig functions.
Andrew Bartlett
(This used to be commit 18367c4235cf16f3c2fee003153ec9b19b02aa9b)
|
|
- pass functions to the subcontext in spnego
metze
(This used to be commit d02fab41f8261095ca8f9a819e0c25bef41b5807)
|
|
library are closed on abnormal termination
- convert the service.h structures to the new talloc methods
(This used to be commit 2dc334a3284858eb1c7190f9687c9b6c879ecc9d)
|
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|
|
"gensec:ntlmssp=no" will disable ntlmssp.
(This used to be commit 66f88c7d89154155b27bf8b7839c580fb1cd1e7c)
|
|
metze
(This used to be commit 75c3108955bab44ffda308406bae153e3a92cedf)
|
|
but do not support SPNEGO (such as XP, when not joined to a domain).
This is triggered by the presense or lack of a security blob in the
negprot reply.
Andrew Bartlett
(This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
|
|
This means that 'require NTLMv2 session security' now works for RPC
pipe signing. We don't yet have sealing, but it can't be much further.
This is almost all tridge's code, munged into a form that can work
with the GENSEC API.
This commit also includes more lsakey fixes - that key is used for all
DCE-RPC level authenticated connections, even over CIFS/ncacn_np.
No doubt I missed something, but I'm going to get some sleep :-)
Andrew Bartlett
(This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
|
|
currently get it bougs, but anyway...
Andrew Bartlett
(This used to be commit 46864dd9d778c008c2f1a3a6701360d4ca64a664)
|
|
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
|
|
metze
(This used to be commit 68f3e538265b59ec818917b914678485585795a6)
|
|
(Used in our SPNEGO code).
Andrew Bartlett
(This used to be commit c91d6b6f9b53e64069fd5860f677bc1b4c250f0c)
|
|
Andrew Bartlett
(This used to be commit 0e4e3647e848605416fe79c742ac84d84dc4357c)
|
|
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
|
|
our code
(This used to be commit ea5659b051f95402441e69ba4ce5aea1ed6f5c86)
|
|
(This used to be commit 69de0d95c585c1a73072e921884cbd427c160176)
|
|
- Infrustructure for kerberos
- Don't segfault on un-implemented backend functions
- Add comments.
Andrew Bartlett
(This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
|
|
metze
(This used to be commit 264afea9ec3ada4df51e5f5de4c0b977024af40b)
|
|
- Add the concept of a 'subcontext' into gensec, so that the spengo
code doesn't have to figure out how to make one.
(A subcontext inherits the username, domain, password (or callback)
from the main context).
- Add comments to some other routines, and explain a bit about what
the various 'start' functions are for.
Andrew Bartlett
(This used to be commit 7aedbfbdd92b4ca93cbd0babff16e7526201ee88)
|
|
metze
(This used to be commit 38e00f87191b86901b603e66aec1e7e71f74c29f)
|
|
some gensec spnego fixes
(NULL pointer and length checks)
metze
(This used to be commit 41ff6d0cd47f6295fe7fe1d31fec7306416ce199)
|
|
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
|
|
This layer is used for DCERPC security, as well as ntlm_auth at this
time. It expect things like SASL and the CIFS layer to use it as
well.
The particular purpose of this layer is to introduce SPENGO, which
needs generic access to the actual implementation mechanisms.
Schannel, due to it's 'interesting' setup properties is in GENSEC, but
is only in the RPC code.
Andrew Bartlett
(This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
|
