summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/gensec.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4504: SettingAndrew Bartlett1-1/+1
.enabled = True on modules we know are good (and we want on be default) seems neater. Andrew Bartlett (This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
2007-10-10r4500: Allow GENSEC modules to be disabled by setting a flag on their moduleAndrew Bartlett1-0/+1
definition, not by hardcoded reference in loadparm.c Andrew Bartlett (This used to be commit 43558eaf7604d2bb0187e0d1ba0686935a965ad7)
2007-10-10r4459: GENSEC refinements:Andrew Bartlett1-1/+10
In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
2007-10-10r4355: More work from the elves on Christmas eve:Andrew Bartlett1-1/+0
- Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2007-10-10r4325: add the GENSEC_FEATURE_DCE_STYLE flagStefan Metzmacher1-0/+1
this will be used by krb5 dcerpc auth metze (This used to be commit 04dc7fb9b24a1e38f31559ec6032701a176209ae)
2007-10-10r4079: implement the gensec_have_feature() correctly by askingStefan Metzmacher1-3/+4
the backend what is actually in use metze (This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737)
2007-10-10r4070: move some defines from asn_1.h to the places they belong toStefan Metzmacher1-0/+5
metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a)
2007-10-10r3686: The results of some work on the NETLOGON pipe:Andrew Bartlett1-1/+0
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC, that will cross-verify all the values. Add support for the way netlogon credentials are shared between the pipe that sets up schannel and the pipe that is encrypted with it. Test this support, by calling both NETLOGON and SAMR operations in the RPC-SCHANNEL test. Move some of the Netlogon NEG flags into the .idl, now we have an idea what a few of them really are. Rename the sam_pwd_hash into a name that has meaning (all other crypto functions were renamed in Samba4 ages ago). Break out NTLMv2 functionality for operation on the NT hash - I intend to do NTLMv2 logins in the samsync test in future, and naturally I only have the hash. Andrew Bartlett (This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-3/+0
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3390: fixed schannel server side support. RPC-SCHANNEL now works against ↵Andrew Tridgell1-1/+2
Samba4. (This used to be commit 01f5c1c72d9fc8f21029adc586154b0c54f76c9e)
2007-10-10r2629: convert gensec to the new talloc modelAndrew Tridgell1-1/+0
by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-4/+13
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.Andrew Bartlett1-1/+5
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
2007-10-10r1497: add forward declaration for struct auth_session_infoStefan Metzmacher1-0/+2
(fix compiler warning) metze (This used to be commit 65147f5aa2a56220a387876d990a546beb93a2d7)
2007-10-10r1475: More kerberos workAndrew Bartlett1-0/+2
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1440: GENSEC improvements:Andrew Bartlett1-0/+9
- Infrustructure for kerberos - Don't segfault on un-implemented backend functions - Add comments. Andrew Bartlett (This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
2007-10-10r1357: Work on GENSEC:Andrew Bartlett1-0/+1
- Add the concept of a 'subcontext' into gensec, so that the spengo code doesn't have to figure out how to make one. (A subcontext inherits the username, domain, password (or callback) from the main context). - Add comments to some other routines, and explain a bit about what the various 'start' functions are for. Andrew Bartlett (This used to be commit 7aedbfbdd92b4ca93cbd0babff16e7526201ee88)
2007-10-10r1294: A nice, large, commit...Andrew Bartlett1-9/+30
This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2007-10-10r1200: Add 'gensec', our generic security layer.Andrew Bartlett1-0/+64
This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)