Age | Commit message (Collapse) | Author | Files | Lines |
|
signed or sealed.
This allows NTLM2 for SMB connections, and NTLMSSP over HTTP for example.
Andrew Bartlett
(This used to be commit e509451538eb5fac5a288e2c429d8481dbfb355f)
|
|
krb5_locate_kdc is (yet) an unused function in Samba4.
Guenther
(This used to be commit fe93f58dfe208ec814f1e75efde4ececa2b2cb5f)
|
|
Andrew Bartlett
(This used to be commit 2cbbf123d26081687a15eb7b82738e8187153ba4)
|
|
currently get it bougs, but anyway...
Andrew Bartlett
(This used to be commit 46864dd9d778c008c2f1a3a6701360d4ca64a664)
|
|
(This used to be commit e1575a72a10252fdb88778f14bf3c44a65d72c5e)
|
|
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
|
|
now that talloc_free() doesn't need to take a context ptr, there is no
reason we can't use talloc everywhere that we currently use malloc().
(This used to be commit a2ad77fb3ac9638c5ef52494bf62083ec594b9f5)
|
|
metze
(This used to be commit 17268837d21c2199b87bd78c1f62b49a37b86df8)
|
|
(This used to be commit 7be7f25a57422fea3e763479629e18dc9a204aba)
|
|
metze
(This used to be commit fe655d047434422eae77486e5fd7fa51eb942677)
|
|
metze
(This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
|
|
metze
(This used to be commit 250485b69fbdd494bfd6c69bae94662e24fb0117)
|
|
there're some cleanups needed and we need to verify the PAC correctly
and create the auth_session_info correctly...
metze
(This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
|
|
Andrew Bartlett
(This used to be commit 0949b72645024a6810f447fe8acb643f98588ab3)
|
|
metze
(This used to be commit b8985892964e84ca09d611540811d5a50a31232e)
|
|
metze
(This used to be commit 68f3e538265b59ec818917b914678485585795a6)
|
|
is reworked).
Andrew Bartlett
(This used to be commit 73ee549b8c54e93556ff0105941996e0d4de8303)
|
|
(Used in our SPNEGO code).
Andrew Bartlett
(This used to be commit c91d6b6f9b53e64069fd5860f677bc1b4c250f0c)
|
|
Andrew Bartlett
(This used to be commit 0e4e3647e848605416fe79c742ac84d84dc4357c)
|
|
changes
- got rid of global_myname(), using lp_netbios_name() instead
(This used to be commit e8d4b390884e487163d81f66a5a7ac1de1305d9a)
|
|
allow tests for 'unwrapped' krb5, allowed by Win2k3.
SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).
Andrew Bartlett
(This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
|
|
- This causes our client and server code to use the same core code,
with the same debugs etc.
- In turn, this will allow the 'mandetory/fallback' signing algorithms
to be shared, and only written once.
Updates to the SPNEGO code
- Don't wrap an empty token to the server, if we are actually already finished.
Andrew Bartlett
(This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
|
|
Rework our random number generation system.
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().
For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation. This removes the 'need_reseed'
parameter from generate_random_buffer().
This also requires that we start the secrets subsystem, as that is
where the reseed value is stored, for systems without /dev/urandom.
In order to aviod identical streams in forked children, the random
state is re-initialised after the fork(), at the same point were we do
that to the tdbs.
Andrew Bartlett
(This used to be commit b97d3cb2efd68310b1aea8a3ac40a64979c8cdae)
|
|
(fix compiler warning)
metze
(This used to be commit 65147f5aa2a56220a387876d990a546beb93a2d7)
|
|
Andrew Bartlett
(This used to be commit 30d88580efe45dc792f8d5c04f4abe0497d1551c)
|
|
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
|
|
add the kinit code
metze
(This used to be commit 9a876be76cee3983676d8c89549162b5c4eba8b0)
|
|
our code
(This used to be commit ea5659b051f95402441e69ba4ce5aea1ed6f5c86)
|
|
metze
(This used to be commit fc8d00b8ab28535da4ec0b7e6931bbf402a37013)
|
|
- Spelling - it's SPNEGO, not SPENGO
- SMB signing - Krb5 logins are now correctly signed
- SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.
Andrew Bartlett
(This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
|
|
Andrew Bartlett
(This used to be commit 67ac9600664e93aa2fe9426127313b57ddaec2cf)
|
|
Andrew Bartlett
(This used to be commit 893a9a3865d7046d8b1cb0418aaf48b88beefa05)
|
|
(This used to be commit 7e9884799e4f450b9693b6e29d7490288ebc969e)
|
|
(This used to be commit eaa2940ba039f59e13d44c6e2dda919ed8e388f5)
|
|
(This used to be commit 69de0d95c585c1a73072e921884cbd427c160176)
|
|
Andrew Bartlett
(This used to be commit 1164be10af8e1b47824df391196ec37c395a4040)
|
|
Andrew Bartlett
(This used to be commit b97ea8a63f044d2c20781c876575978cc4725285)
|
|
Andrew Bartlett
(This used to be commit 310a570936c0d2d5af168aeca1b33206622d8355)
|
|
Andrew Bartlett
(This used to be commit 159c234589e8e148180217f9ef4853b3031877db)
|
|
The kerberos context is now tied in life to the GENSEC context.
Andrew Bartlett
(This used to be commit 64e99170c3b53a14d7f8d29cf78283f2bc22c1f7)
|
|
Andrew Bartlett
(This used to be commit 231e505dea9e9aca28eb336bcbcfb2b7b83c089c)
|
|
- Infrustructure for kerberos
- Don't segfault on un-implemented backend functions
- Add comments.
Andrew Bartlett
(This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
|
|
easier to code, as it may return an 'ok' with an empty blob).
Andrew Bartlett
(This used to be commit e48557158ed99eee7d3ef8231c629bbd14cda9d3)
|
|
seperate char *, not a DATA_BLOB.
This allows us to tell if we were sent a string here, or a real MIC.
(This used to be commit 06b997c826e3ec00e0528da800e3eae0e3497a54)
|
|
The session key in the client is wrong, we don't do signing/sealing
and we are sending raw Kerberos, not GSSAPI.
But it's a start, and if we continue to have to call Krb5 directly,
this will be the basis.
I also intend to provide an alternate implementation, using just
GSSAPI.
Andrew Bartlett
(This used to be commit eb0dd4a821dc3dbe370aea9a9c9fb05cf2592e4d)
|
|
Andrew Bartlett
(This used to be commit c283837556109b9392a8cdcd867e5ae0dac1509b)
|
|
Andrew Bartlett
(This used to be commit c5a1529d54e6b8ec2bbf7017a2f48d7535f1f016)
|
|
add a view debug messages
metze
(This used to be commit 79953dccc1f21dbabddff73a4b6d862eace29eb9)
|
|
metze
(This used to be commit db19d6047c25698d0c3b7aeaab77b2a02385dbb5)
|
|
is used yet.
Andrew Bartlett
(This used to be commit 7596f311c9a18314716f64476030ce3dfcdd98bb)
|