Age | Commit message (Collapse) | Author | Files | Lines |
|
- Infrustructure for kerberos
- Don't segfault on un-implemented backend functions
- Add comments.
Andrew Bartlett
(This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
|
|
easier to code, as it may return an 'ok' with an empty blob).
Andrew Bartlett
(This used to be commit e48557158ed99eee7d3ef8231c629bbd14cda9d3)
|
|
seperate char *, not a DATA_BLOB.
This allows us to tell if we were sent a string here, or a real MIC.
(This used to be commit 06b997c826e3ec00e0528da800e3eae0e3497a54)
|
|
The session key in the client is wrong, we don't do signing/sealing
and we are sending raw Kerberos, not GSSAPI.
But it's a start, and if we continue to have to call Krb5 directly,
this will be the basis.
I also intend to provide an alternate implementation, using just
GSSAPI.
Andrew Bartlett
(This used to be commit eb0dd4a821dc3dbe370aea9a9c9fb05cf2592e4d)
|
|
Andrew Bartlett
(This used to be commit 2de3a3082344fd292b1084a73a332549d6b2e25d)
|
|
metze
(This used to be commit ae2e6b58629397d75a3e446ff0c50b594d029206)
|
|
Andrew Bartlett
(This used to be commit c283837556109b9392a8cdcd867e5ae0dac1509b)
|
|
Andrew Bartlett
(This used to be commit c5a1529d54e6b8ec2bbf7017a2f48d7535f1f016)
|
|
add a view debug messages
metze
(This used to be commit 79953dccc1f21dbabddff73a4b6d862eace29eb9)
|
|
metze
(This used to be commit db19d6047c25698d0c3b7aeaab77b2a02385dbb5)
|
|
is used yet.
Andrew Bartlett
(This used to be commit 7596f311c9a18314716f64476030ce3dfcdd98bb)
|
|
the capabilities in the union smb_sesssetup should be used to decide
if we can use extented security
metze
(This used to be commit e3760fcc17cc645d942f0fc7f7325976391309ea)
|
|
so I set 'use spnego = True'
metze
(This used to be commit e06898f88c82c286574f9d73de1a9de829b1ded8)
|
|
some compiler warnings that allowed us to see.
Andrew Bartlett
(This used to be commit 1a6c2018dd49519e6fccdd5a7f35d70b67d45275)
|
|
metze
(This used to be commit f7379324025c599cd201ce6d0905f0ca2c24ce73)
|
|
getting something from the server.
(this is needed by SPNEGO in dcerpc)
metze
(This used to be commit ec978555f0bd612b80dfa49ccc880a3858285879)
|
|
because the client don't send this
metze
(This used to be commit b1217a4ef6592082bb02fd0596a0563bacdf1d8e)
|
|
the client checks but not send spnego_negResult
metze
(This used to be commit 49e4d375e9504f595aaa64ac62ddb421f082c424)
|
|
this should indicate that we don't send a spnego_negResult t all over the wire
metze
(This used to be commit 69d685d81784e5fb33e41d3244498ac620a2f5f0)
|
|
- remove unsed gensec_user forward, it's done by the gensec layer know
metze
(This used to be commit e19e5a91f2fd988546f42473bf241dff3c2fe198)
|
|
metze
(This used to be commit 264afea9ec3ada4df51e5f5de4c0b977024af40b)
|
|
switch, rather than a series of if statements.
Also start to use the GENSEC subcontexts, and add some comments
explaining some of the 'odd' logic in parts.
I'll probably break these out into subfunctions soon.
Thanks to metze for getting me to do this :-)
Andrew Bartlett
(This used to be commit 73e03596d3b2ad5927e8154d0fbfbdae9ec3f717)
|
|
- Add the concept of a 'subcontext' into gensec, so that the spengo
code doesn't have to figure out how to make one.
(A subcontext inherits the username, domain, password (or callback)
from the main context).
- Add comments to some other routines, and explain a bit about what
the various 'start' functions are for.
Andrew Bartlett
(This used to be commit 7aedbfbdd92b4ca93cbd0babff16e7526201ee88)
|
|
Andrew Bartlett
(This used to be commit 9039a2a1128d8af278cae76c0aa6d5362b3671e4)
|
|
various switches without looking one byte past te end of the buffer.
(This used to be commit 5bce188d429b4166f3d0314922ae40204de182a7)
|
|
- set auth_type = DCERPC_AUTH_TYPE_SPNEGO
metze
(This used to be commit 7354521f3cfaa2ead8fac38a68b7704d43731f72)
|
|
metze
(This used to be commit a826accd55e90cb0628f198886ba1ae6c845e68b)
|
|
metze
(This used to be commit 38e00f87191b86901b603e66aec1e7e71f74c29f)
|
|
- pass down gensec_user to the sub context
- if segfault when mechType is NULL
metze
(This used to be commit 3f84263c27add3bf01eea88618f707da925bed5c)
|
|
metze
(This used to be commit 7b8237bfb3c302a448a7db0236c0a953603dcd89)
|
|
code
set lp_use_spnego = False, because I can't get it working yet
but I commit it so others can help me
metze
(This used to be commit 2445cceba9ab9bd928c8bc50927a39509e4526b0)
|
|
some gensec spnego fixes
(NULL pointer and length checks)
metze
(This used to be commit 41ff6d0cd47f6295fe7fe1d31fec7306416ce199)
|
|
of SIDs
w2k3 can handle in a single request. With the samba3 client rpc libs I can do
about 21000 SIDs in a single request. test_many_LookupSIDs with 10000 SIDs
fails on the subsequent request with a NET_WRITE_FAULT. Maybe the Samba4 DCE
people want to take a look at this -- I don't see the problem.
Bug fix: SID components should be treated as unsigned when parsing
Volker
(This used to be commit 8c997a2ad2e89a640f854b556ef76a3d52c15963)
|
|
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
|
|
metze
(This used to be commit 52e2d038252bd745d53c687d266ad3ad62efa6fc)
|
|
(This used to be commit de5984c95602ca67e8ac3139c3aa4330b74266e0)
|
|
ndr_<push|pull>_format_blob()
simular to ndr_<push|pull>_struct_blob()
metze
(This used to be commit b25dd341e0febd550a2936ca484b6fecce2ff8c2)
|
|
rename <read|write|free>_spnego_data() into
spnego_<read|write|free>_data
metze
(This used to be commit 3f57c8f596eb6ad31a024acaf60fefcfd28d8387)
|
|
This layer is used for DCERPC security, as well as ntlm_auth at this
time. It expect things like SASL and the CIFS layer to use it as
well.
The particular purpose of this layer is to introduce SPENGO, which
needs generic access to the actual implementation mechanisms.
Schannel, due to it's 'interesting' setup properties is in GENSEC, but
is only in the RPC code.
Andrew Bartlett
(This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
|
|
I have moved the SPNEGO and Kerberos code into libcli/auth, and intend
to refactor them into the same format as NTLMSSP.
Andrew Bartlett
(This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b)
|
|
* Remove unreached counter increment
* Print the correct NTLMSSP key.
(This used to be commit b96700695479c19c7b2c190616420762409fdf0d)
|
|
are variable length.
Remove extra casts
Andrew Bartlett
(This used to be commit 84f86b83f88cea5564347f3aa623be2d9feeb4b3)
|
|
- implement key weakening
- don't create large 'hashes' when we only want a key (signing subkeys)
- make more useful debugs.
NTLM2 is still off by default, till I figure out how to do NTLM2 signing.
Andrew Bartlett
(This used to be commit 079c2654851536b0a7918d408ac9597abbab8fd2)
|
|
(This used to be commit 17dacf494ac25bb6d9f6dea8cb81968ea2b84c55)
|
|
(This used to be commit ae393c2ed6b6039d28bb02d5e5104a6d25368ce6)
|
|
Andrew Bartlett
(This used to be commit 4d23b9e039872273f3ef433d94d24759bcb87c30)
|
|
signing
mistakes.
Jeremy.
(This used to be commit 5c3a2417cfe1bdbdfb35d933d49f77f6696790b3)
|
|
reply also initialise the LM session key, when we have it (was failing
because the auth code was setting it's length wrong).
Andrew Bartlett
(This used to be commit de97d9df224f769953e850a276515923a830839c)
|
|
Changes:
- Check for a valid 'pipe_state' in netr_ServerAuthenticate3 before
we dereference it
- removes the expansionroom[7] in the netr_SamInfo* structs to 7
individual elements.
- renames netr_SamInfo -> netr_SamInfo2
netr_SamInfo2 -> netr_SamInfo3
- Having the thing we always called an 'info3' being 'netr_SamInfo2'
was just too confusing.
- Expand and fill in extra details about users from the SAM, into
the server_info, for processing into the SamLogon reply.
- Add a dum_sid_dup() function to duplicate a struct dom_sid
The SamLogon code currently does not return supplementary groups, and is
only tested with Samba4 smbtorture.
Andrew Bartlett
(This used to be commit 6c92563b7961f15fc74b02601e105d5e1d04f04d)
|
|
schannel torture test.
(This used to be commit 95599e3ef79bf5cafb556121c99ffc5c3a8f3314)
|