Age | Commit message (Collapse) | Author | Files | Lines |
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|
|
This means that 'require NTLMv2 session security' now works for RPC
pipe signing. We don't yet have sealing, but it can't be much further.
This is almost all tridge's code, munged into a form that can work
with the GENSEC API.
This commit also includes more lsakey fixes - that key is used for all
DCE-RPC level authenticated connections, even over CIFS/ncacn_np.
No doubt I missed something, but I'm going to get some sleep :-)
Andrew Bartlett
(This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
|
|
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
|
|
(fix compiler warning)
metze
(This used to be commit 65147f5aa2a56220a387876d990a546beb93a2d7)
|
|
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
|
|
- Infrustructure for kerberos
- Don't segfault on un-implemented backend functions
- Add comments.
Andrew Bartlett
(This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
|
|
- Add the concept of a 'subcontext' into gensec, so that the spengo
code doesn't have to figure out how to make one.
(A subcontext inherits the username, domain, password (or callback)
from the main context).
- Add comments to some other routines, and explain a bit about what
the various 'start' functions are for.
Andrew Bartlett
(This used to be commit 7aedbfbdd92b4ca93cbd0babff16e7526201ee88)
|
|
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
|
|
This layer is used for DCERPC security, as well as ntlm_auth at this
time. It expect things like SASL and the CIFS layer to use it as
well.
The particular purpose of this layer is to introduce SPENGO, which
needs generic access to the actual implementation mechanisms.
Schannel, due to it's 'interesting' setup properties is in GENSEC, but
is only in the RPC code.
Andrew Bartlett
(This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
|