summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/gensec_krb5.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4459: GENSEC refinements:Andrew Bartlett1-0/+12
In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
2007-10-10r4446: attempt to fix the build - andrew, can you check I've done this right?Andrew Tridgell1-1/+1
(This used to be commit 9f0bf657aeee86d859742fb4da3a0f806e7060b6)
2007-10-10r4441: gensec_krb5 update:Andrew Bartlett1-6/+21
- Use more of the clikrb5.c wrapper calls - Don't use the session keytab if we kinit for the user. Andrew Bartlett (This used to be commit e15dbee00628475d5e1c1f329a7f9b199bc36360)
2007-10-10r4355: More work from the elves on Christmas eve:Andrew Bartlett1-14/+15
- Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2007-10-10r4338: reuse netlogon structs in the krb5 PACStefan Metzmacher1-105/+19
that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
2007-10-10r4151: added privilege attribute handling on samdb.Andrew Tridgell1-0/+7
pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell1-13/+16
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r4070: move some defines from asn_1.h to the places they belong toStefan Metzmacher1-3/+2
metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a)
2007-10-10r4045: readd krb5 support defaulted to disableStefan Metzmacher1-2/+10
use: gensec:krb5=yes gensec:ms_krb5=yes to enable it or -k on the client tools on the command line metze (This used to be commit 0ae5794cf44933d2554e0356baaca24c7a784f71)
2007-10-10r3739: Remove a bunch of unused m4 macrosJelmer Vernooij1-2/+2
(This used to be commit 2a38b77a1d8674b46028214896e37747c4082f13)
2007-10-10r3609: Lets spew out a few less error messages for tridge, and hope to getAndrew Bartlett1-9/+2
krb5 going on recent heimdal installs. Andrew Bartlett (This used to be commit a758725407df0c87922a15aa32cc841bc4c059a2)
2007-10-10r3572: Thanks to tridge for his patience with my build breakage.Andrew Bartlett1-2/+0
This concludes the proper fixes. Andrew Bartlett (This used to be commit c1d025793f2994c8f1cab304c3394ab186654071)
2007-10-10r3571: rough guesses at what abartlet really wanted to do in his last commitAndrew Tridgell1-0/+2
(which I suspect was missing some pieces) this at least fixes the build so i can keep going on pvfs. Please review/fix Andrew. (This used to be commit bffd18d09df04c1e492ef12f744ff4b6c561d53c)
2007-10-10r3565: Move PAC parsing into the session_info generation, and out of theAndrew Bartlett1-16/+41
basic krb5 request path. The idea is that we should not do the extra work, if we are not going to use the results. Andrew Bartlett (This used to be commit 13a2a9e326c027d76d27ecd08fb9863fe881bf30)
2007-10-10r3519: Include time headers to fix the build.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit d13e2aa89e72c63e552f1b24547abe6fc319ee61)
2007-10-10r3463: separated out some more headers (asn_1.h, messages.h, dlinklist.h and ↵Andrew Tridgell1-0/+1
ioctl.h) (This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3443: the next stage in the include files re-organisation.Andrew Tridgell1-0/+2
I have created the include/system/ directory, which will contain the wrappers for the system includes for logical subsystems. So far I have created include/system/kerberos.h and include/system/network.h, which contain all the system includes for kerberos code and networking code. These are the included in subsystems that need kerberos or networking respectively. Note that this method avoids the mess of #ifdef HAVE_XXX_H in every C file, instead each C module includes the include/system/XXX.h file for the logical system support it needs, and the details are kept isolated in include/system/ This patch also creates a "struct ipv4_addr" which replaces "struct in_addr" in our code. That avoids every C file needing to import all the system networking headers. (This used to be commit 2e25c71853f8996f73755277e448e7d670810349)
2007-10-10r3428: switched to using minimal includes for the auto-generated RPC code.Andrew Tridgell1-0/+1
The thing that finally convinced me that minimal includes was worth pursuing for rpc was a compiler (tcc) that failed to build Samba due to reaching internal limits of the size of include files. Also the fact that includes.h.gch was 16MB, which really seems excessive. This patch brings it back to 12M, which is still too large, but better. Note that this patch speeds up compile times for both the pch and non-pch case. This change also includes the addition iof a "depends()" option in our IDL files, allowing you to specify that one IDL file depends on another. This capability was needed for the auto-includes generation. (This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49)
2007-10-10r3365: Fill in the user and primary group SIDs into the 'server info' beforeAndrew Bartlett1-8/+11
the session info. Andrew Bartlett (This used to be commit 5db5c30ebedca1fee8924a9416bcb94ed13af372)
2007-10-10r3190: When we don't have a PAC, do a lookup in the local ldb instead.Andrew Bartlett1-25/+55
This required reworking the auth_sam code, so that it would export the 'name -> server_info' functionality. It's a bit ugly from a modular point of view, but it's what we have to do... Fix up some of the code to better use the new talloc() Andrew Bartlett (This used to be commit 18e08b4497ebabc2f31210254e145458b7c6a198)
2007-10-10r3115: Bugfixes and extra debug in our kerberos verify code.Andrew Bartlett1-8/+7
Andrew Bartlett (This used to be commit 9f19aae0c0812b156054385ef77785971488e21c)
2007-10-10r3110: Fix the krb5 client and server, so that it doesn't segfault. ThereAndrew Bartlett1-33/+37
were also gensec bugs that didn't turn up until we hit error paths in the krb5 code. Andrew Bartlett (This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
2007-10-10r2650: fixed a memory leak in make_server_info()Andrew Tridgell1-1/+1
(This used to be commit 4aba6e7101041100f7d400abd5e7144b95528fc3)
2007-10-10r2645: converted the NTLMSSP code to the new style of tallocAndrew Tridgell1-15/+6
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
2007-10-10r2643: convert more of the auth subsyystem to the new talloc methods. ThisAndrew Tridgell1-9/+9
also fixes a memory leak found with --leak-check. (This used to be commit f19201ea274f0a542314c61c4af676197bf154ad)
2007-10-10r2629: convert gensec to the new talloc modelAndrew Tridgell1-2/+2
by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
2007-10-10r2385: the gensec:krb5 test is not needed here any more, as we do it in the ↵Andrew Tridgell1-4/+0
registration code (This used to be commit bcf9d787d6bced4c4482fa3e51ccea258563d89e)
2007-10-10r2376: added a way to disable krb5 on the command line. Just useAndrew Tridgell1-0/+5
--option 'gensec:krb5=no' or put "gensec:krb5 = no" in smb.conf Given the frustration I've had with kerberos I was very tempted to name this option --nfk, but resisted the temptation (This used to be commit 2d710a5eb5b36e46fa8f652305fa9ab2e09e02f3)
2007-10-10r2290: Fix 'lsakey' for the server-side, it is static forAndrew Bartlett1-4/+2
'authenticated' connections. Fix kerberos session key issues - we need to call the routine for extracting the session key, not just read the cache. Andrew Bartlett (This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9)
2007-10-10r2286: Fixes towards krb5 logins into Samba's CIFS server.Andrew Bartlett1-79/+85
These fixes aim particularly at allowing PAC-less logins, as I don't yet generate a PAC in the lorikeet-heimdal KDC. This is for the benifit of a Kerbeors-enabled domain join, which seems to be progressing quite well! Andrew Bartlett (This used to be commit f5a381094dd5bcbd795a134bc4b8b89901b5e3eb)
2007-10-10r2054: Fix compile warnings/build failures on non-gcc.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 2cbbf123d26081687a15eb7b82738e8187153ba4)
2007-10-10r1794: fix the build MIT krb5Stefan Metzmacher1-2/+4
metze (This used to be commit fe655d047434422eae77486e5fd7fa51eb942677)
2007-10-10r1790: a few updates on krb5 PAC...Stefan Metzmacher1-10/+30
metze (This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
2007-10-10r1784: a few minor changes and debug the decoded PAC_DATAStefan Metzmacher1-8/+10
metze (This used to be commit 250485b69fbdd494bfd6c69bae94662e24fb0117)
2007-10-10r1770: here's the krb5 server code,Stefan Metzmacher1-7/+257
there're some cleanups needed and we need to verify the PAC correctly and create the auth_session_info correctly... metze (This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
2007-10-10r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, andAndrew Bartlett1-2/+6
allow tests for 'unwrapped' krb5, allowed by Win2k3. SPENGO changes, trying to get the logic right (when and what sub-mechanisms to wrap). Andrew Bartlett (This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
2007-10-10r1521: Updates to our SMB signing code.Andrew Bartlett1-1/+3
- This causes our client and server code to use the same core code, with the same debugs etc. - In turn, this will allow the 'mandetory/fallback' signing algorithms to be shared, and only written once. Updates to the SPNEGO code - Don't wrap an empty token to the server, if we are actually already finished. Andrew Bartlett (This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
2007-10-10r1476: Don't print messages about the CCACHE not being found - this is normal.Andrew Bartlett1-2/+6
Andrew Bartlett (This used to be commit 30d88580efe45dc792f8d5c04f4abe0497d1551c)
2007-10-10r1475: More kerberos workAndrew Bartlett1-19/+95
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1462: GENSEC Kerberos and SPENGO work:Andrew Bartlett1-6/+7
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
2007-10-10r1457: Add the GSSAPI layer to our gensec_krb5 code.Andrew Bartlett1-33/+54
Andrew Bartlett (This used to be commit 893a9a3865d7046d8b1cb0418aaf48b88beefa05)
2007-10-10r1437: Intermediate commit of krb5 for GENSEC.Andrew Bartlett1-0/+351
The session key in the client is wrong, we don't do signing/sealing and we are sending raw Kerberos, not GSSAPI. But it's a start, and if we continue to have to call Krb5 directly, this will be the basis. I also intend to provide an alternate implementation, using just GSSAPI. Andrew Bartlett (This used to be commit eb0dd4a821dc3dbe370aea9a9c9fb05cf2592e4d)