summaryrefslogtreecommitdiff
path: root/source4/libcli/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5199: fix some minor configure bugsStefan Metzmacher1-1/+1
metze (This used to be commit 274ef2a206aa00b3155adc27f5b7e35d3fa52bf6)
2007-10-10r5136: fix typesStefan Metzmacher4-8/+8
metze (This used to be commit 344367cc4cdb232c394ce45ab64cc357cce4259f)
2007-10-10r5092: Add a bit more const - moving it further into the LDB layer.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit ffad9b22be595279b247fa72d51145830fecbb06)
2007-10-10r5053: - fix up the library dependencies so that tools that need nbt don'tAndrew Tridgell2-1/+506
need to pull in the whole dcerpc subsystem - moved smbencrypt.c code into libcli/auth/ (This used to be commit 3351c636af23ad88649e84f4cb88fc1167d5c654)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell10-15/+15
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4958: fix compiler warningsStefan Metzmacher1-2/+2
metze (This used to be commit 522af7ecc0020b7c56182ca628f6d1623abe303e)
2007-10-10r4893: Move to using secrets.ldb for the Kerberos verify, instead ofAndrew Bartlett1-12/+33
secrets.tdb from Samba3. Andrew Bartlett (This used to be commit 21bfda2a0d1c8373f8800269ed9b982e1b9a19e5)
2007-10-10r4890: Try to cope with mechanism mismatch in the client speaks first versionAndrew Bartlett1-7/+98
of the SPNEGO state-machine. (Such as on LDAP and HTTP) Andrew Bartlett (This used to be commit c1cae6b3b1efe109a09e449ed2e09983431eac7e)
2007-10-10r4692: Make the client SPNEGO code bail out in a couple more cases.Andrew Bartlett1-1/+4
Andrew Bartlett (This used to be commit a062ac122c402fb2cf31eb8e76f4077b1f33b8eb)
2007-10-10r4682: A LDB-based secrets implementation in Samba4.Andrew Bartlett1-21/+22
This uses LDB (a local secrets.ldb and the global samdb) to fill out the secrets from an LSA perspective. Some small changes to come, but the bulk of the work is now done. A re-provision is required after this change. Andrew Bartlett (This used to be commit ded33033521a6a1c7ea80758c5c5aeeebb182a51)
2007-10-10r4650: - make more use of bitmap and enum'sStefan Metzmacher2-2/+4
- move some structs out of misc.idl metze (This used to be commit b6543a6e3057b5588ec50a2ebf6c7c932209efe6)
2007-10-10r4641: Push a few more details into the schannel ldb, and into theAndrew Bartlett2-2/+9
credentials struct it maintains. Clearly much of this will be replaced with some system to pass and store the session_info, as that is the 'right way' to handle this. Andrew Bartlett (This used to be commit c6fcb33a887fbf0c0b42c3bc331df942a985128c)
2007-10-10r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the authAndrew Bartlett2-32/+34
token in the client (the final token in the negotiation). Consequential fixes in the SPNEGO code, which now uses the out.length as the indicator of 'I need to send something to the other side'. Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client. Fix the RPC-MULTIBIND test consequent to this merge. Andrew Bartlett (This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
2007-10-10r4620: - add interface functions to the auth subsystem so that callers ↵Stefan Metzmacher2-132/+83
doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2007-10-10r4591: - converted the other _p talloc functions to not need _pAndrew Tridgell1-3/+3
- added #if TALLOC_DEPRECATED around the _p functions - fixes the code that broke from the above while doing this I fixed quite a number of places that were incorrectly using the non type-safe talloc functions to use the type safe ones. Some were even doing multiplies for array allocation, which is potentially unsafe. (This used to be commit 6e7754abd0c225527fb38363996a6e241b87b37e)
2007-10-10r4565: Make the order of the initialisation more sensible.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 5598cda08b46e61695b753e049288a0b498502c4)
2007-10-10r4549: got rid of a lot more uses of plain talloc(), instead usingAndrew Tridgell1-1/+1
talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
2007-10-10r4531: Include the OID locally, as it seems to be hard to get the includesAndrew Bartlett1-1/+5
right. Andrew Bartlett (This used to be commit a742ea1e1221058ae6a99e317fbf18c80bc49aed)
2007-10-10r4530: Start adding a bit of Doxygen compatible documentation comments to ↵Andrew Bartlett1-3/+23
GENSEC. Andrew Bartlett (This used to be commit c7acea9d5a097b51693f41de93274b857f7be0e3)
2007-10-10r4504: SettingAndrew Bartlett6-9/+10
.enabled = True on modules we know are good (and we want on be default) seems neater. Andrew Bartlett (This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
2007-10-10r4500: Allow GENSEC modules to be disabled by setting a flag on their moduleAndrew Bartlett4-3/+8
definition, not by hardcoded reference in loadparm.c Andrew Bartlett (This used to be commit 43558eaf7604d2bb0187e0d1ba0686935a965ad7)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett1-3/+8
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r4494: Allow gensec_gssapi to use the SPNEGO mech provided by Heimdal (off byAndrew Bartlett1-7/+44
default at this point), and include the GSSAPI OIDs in our source, per advice by lha that this is easier than getting the includes right. Andrew Bartlett (This used to be commit 9ff8b2b4d12d364084df5c95a752ce2a0546053d)
2007-10-10r4470: Try not to have GSSAPI built unless we detected krb5. We should splitAndrew Bartlett1-0/+2
these tests out a bit, but for now it's an indicator we can use. Andrew Bartlett (This used to be commit 2b0605dbaee18da4ebb676fc292b324d21805ef7)
2007-10-10r4460: Add a new GENSEC module: gensec_gssapiAndrew Bartlett3-6/+368
(disabled by default, set parametric option: gensec:gssapi=yes to enable). This module backs directly onto GSSAPI, and allows us to sign and seal GSSAPI/Krb5 connections in particular. This avoids me reinventing the entire GSSAPI wheel. Currently a lot of things are left as default - we will soon start specifiying OIDs as well as passwords (it uses the keytab only at the moment). Tested with our LDAP-* torture tests against Win2k3. My hope is to use this module to access the new SPNEGO implementation in Heimdal, to avoid having to standards-verify our own. Andrew Bartlett (This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35)
2007-10-10r4459: GENSEC refinements:Andrew Bartlett5-11/+212
In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
2007-10-10r4446: attempt to fix the build - andrew, can you check I've done this right?Andrew Tridgell1-1/+1
(This used to be commit 9f0bf657aeee86d859742fb4da3a0f806e7060b6)
2007-10-10r4441: gensec_krb5 update:Andrew Bartlett1-6/+21
- Use more of the clikrb5.c wrapper calls - Don't use the session keytab if we kinit for the user. Andrew Bartlett (This used to be commit e15dbee00628475d5e1c1f329a7f9b199bc36360)
2007-10-10r4413: login failure doesn't warrant a level 1 debug (its filling my logs ↵Andrew Tridgell1-1/+1
during torture tests) (This used to be commit b9284c16dc37bf14fceeaa694e82f36a38b0dd93)
2007-10-10r4358: At metze's request, the Christmas elves have removed gensec_end inAndrew Bartlett2-33/+16
favor of talloc_free(). Andrew Bartlett (This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478)
2007-10-10r4357: Return a more sensible error code if a NULL (as opposed to the validAndrew Bartlett1-2/+3
"") username is asked for. Andrew Bartlett (This used to be commit 9c9055603e1171e204f67b019900339f88414841)
2007-10-10r4355: More work from the elves on Christmas eve:Andrew Bartlett10-211/+891
- Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2007-10-10r4338: reuse netlogon structs in the krb5 PACStefan Metzmacher1-105/+19
that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
2007-10-10r4326: fix memory leakStefan Metzmacher1-1/+1
metze (This used to be commit 1ceeb77fc716729c69f2dba4a84579c366eefa1c)
2007-10-10r4325: add the GENSEC_FEATURE_DCE_STYLE flagStefan Metzmacher2-0/+2
this will be used by krb5 dcerpc auth metze (This used to be commit 04dc7fb9b24a1e38f31559ec6032701a176209ae)
2007-10-10r4151: added privilege attribute handling on samdb.Andrew Tridgell1-0/+7
pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell1-13/+16
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r4079: implement the gensec_have_feature() correctly by askingStefan Metzmacher3-24/+41
the backend what is actually in use metze (This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737)
2007-10-10r4077: don't add wrapping to empty blobsStefan Metzmacher1-1/+5
metze (This used to be commit e6d83d019dc46ff7ae32e7c8f9f7a3ab7d0cdcf3)
2007-10-10r4070: move some defines from asn_1.h to the places they belong toStefan Metzmacher7-14/+26
metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a)
2007-10-10r4055: fixed more places to use type safe allocation macrosAndrew Tridgell2-3/+3
(This used to be commit eec698254f67365f27b4b7569fa982e22472aca1)
2007-10-10r4054: got rid of Realloc(), replacing it with the type safe macro realloc_p()Andrew Tridgell1-1/+3
(This used to be commit b0f6e21481745d1b2ced28d9ed6f09f6ffd99562)
2007-10-10r4045: readd krb5 support defaulted to disableStefan Metzmacher6-5/+17
use: gensec:krb5=yes gensec:ms_krb5=yes to enable it or -k on the client tools on the command line metze (This used to be commit 0ae5794cf44933d2554e0356baaca24c7a784f71)
2007-10-10r4044: only send supportedMech when we also send other dataStefan Metzmacher1-5/+8
metze (This used to be commit 1e0483a8482574fa0f8d7ad31cc4bf4a6155ec52)
2007-10-10r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 ↵Andrew Tridgell1-0/+2
in my compile (This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
2007-10-10r4001: fix segfault fix auth failedStefan Metzmacher1-0/+3
metze (This used to be commit 6a7eee1d9917e0884072354dddae568645798da5)
2007-10-10r4000: DATA_BLOB.data is uint8_t * not void * :-)Stefan Metzmacher1-1/+1
(thanks abartlet for telling me) metze (This used to be commit 2783bf393f6310f9d827538329d619dad5b02dd0)
2007-10-10r3971: fix compiler warningsStefan Metzmacher1-1/+1
metze (This used to be commit 234166606dc86b9e98226cff94b3869ec173671e)
2007-10-10r3967: fix compiler warningsStefan Metzmacher1-2/+2
metze (This used to be commit 3f2c3ce2f0d11ea9f3c058690e0bb14d590c714c)
2007-10-10r3960: fix compiler warningsStefan Metzmacher1-4/+4
metze (This used to be commit 54d5b418a75d421a9c6c09bc084454f11e9b7b44)