summaryrefslogtreecommitdiff
path: root/auth/credentials
Commit message (Collapse)AuthorAgeFilesLines
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-8-test): Wed Sep 5 18:32:05 CEST 2018 on sn-devel-144
* tests/bind.py: Add a bind test with NTLMSSP with no domainGarming Sam2018-02-271-1/+25
| | | | | | | | | | | Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)
* define DBGC_AUTH classkkplein2018-01-083-0/+9
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials: Simplify cli_credentials_get_server_gss_creds()Andreas Schneider2018-01-031-9/+10
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144
* CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() ↵Stefan Metzmacher2017-09-201-0/+16
| | | | | | | | should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* cli_credentials: Apply some constVolker Lendecke2017-09-162-4/+6
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 16 12:28:17 CEST 2017 on sn-devel-144
* cli_credentials: Fix a typoVolker Lendecke2017-09-071-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 7 05:56:14 CEST 2017 on sn-devel-144
* cli_credentials: Fix a return valueVolker Lendecke2017-09-051-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Sep 5 23:06:42 CEST 2017 on sn-devel-144
* pycredentials: Add set_named_ccache()Andrew Bartlett2017-07-281-0/+45
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* pycredentials: Add get_name() for a credentials cacheAndrew Bartlett2017-07-281-0/+30
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* pycredentials: Allow optional "name" argument to get_named_ccache() to be ↵Andrew Bartlett2017-07-281-1/+1
| | | | | | | | missing Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: remove unused smb_krb5_create_salt_principal()Stefan Metzmacher2017-06-271-79/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: make use of smb_krb5_salt_principal() in ↵Stefan Metzmacher2017-06-271-12/+26
| | | | | | | cli_credentials_get_keytab() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* pycredentials: Add support for netr_crypt_passwordGary Lockyer2017-06-223-0/+77
| | | | | | | | | | Add code to encrypt a netr_CryptPassword structure with the current session key. This allows the making of Netr_ServerPasswordSet2 calls from python. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pycredentials: add function to return the netr_AuthenticatorGary Lockyer2017-06-221-0/+40
| | | | | | | | | | | Add method new_client_authenticator that returns data to allow a netr_Authenticator to be constructed. Allows python to make netr_LogonSamLogonWithFlags, netr_LogonGetDomainInfo and similar calls Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth pycredentials: incorrect PyArg_ParseTupleAndKeywords callGary Lockyer2017-05-251-4/+7
| | | | | | | | | | | | | The challenge parameter was being treated as a string rather than as a data blob. This was causing intermittent seg faults. Removed the server_timestamp parameter as it's not currently used. Unable to produce a test case to reliably replicate the failure. However auth_log_samlogon does flap Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth pycredentials: correct docstring of get_ntlm_response methodGary Lockyer2017-05-251-2/+2
| | | | | | | | Fix copy paste error was incorrectly named "get_ntlm_username_domain" Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Add test that execises the SamLogon python bindingsGary Lockyer2017-05-251-0/+16
| | | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python3: Use "y#" instead of "s#" for binary data in PyArg_ParseTuplePetr Viktorin2017-05-191-2/+4
| | | | | | | | | | | | | | | | | The "s#" format code for PyArg_ParseTupleAndKeywords and Py_BuildValue converts a char* and size to/from Python str (with utf-8 encoding under Python 3). In some cases, we want bytes (str on Python 2, bytes on 3) instead. The code for this is "y#" in Python 3, but that is not available in 2. Introduce a PYARG_BYTES_LEN macro that expands to "s#" or "y#", and use that in: - credentials.get_ntlm_response (for input and output) - ndr_unpack argument in PIDL generated code Signed-off-by: Petr Viktorin <pviktori@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: correct package dependenciesJan Engelhardt2017-04-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | The wscript_build files convey what header files belong to which logical package. For example, # lib/util/wscript_build: bld.SAMBA_LIBRARY('samba-util', public_headers='... data_blob.h ...' # auth/credentials/wscript_build: bld.SAMBA_LIBRARY('samba-credentials', public_headers='credentials.h', Now, credentials.h #includes <util/data_blob.h> and therefore, samba-credentials.pc must have a Requires: samba-util. Similarly for other parts. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* pycredentials: Add bindings for get_ntlm_response()Andrew Bartlett2017-03-291-0/+65
| | | | | | This should make testing of SamLogon from python practical Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* python: wscript_build: Build some modules for Python 3Lumir Balhar2017-03-101-6/+6
| | | | | | | | | Update a few wscript_build files to build Python 3-compatible modules for Python 3. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* python: samba.credentials: Port pycredentials.c to Python3-compatible form.Lumir Balhar2017-03-101-7/+17
| | | | | | | | | Port Python bindings of samba.credentials module to Python3-compatible form using macros from py3compat.h. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* credentials_krb5: convert to use smb_gss_krb5_import_credAlexander Bokovoy2017-03-081-9/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: try to use kerberos with the machine account unless we're ↵Stefan Metzmacher2017-02-241-1/+16
| | | | | | | | | in an AD domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* auth: fix mem leak & use appropriate free functionAurelien Aptel2017-02-011-1/+1
| | | | | | | | | | | coverity fix. cli_credentials_set_principal does a strdup, we want to free 'name' regardless of the result in 'ok'. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Create a smb_gss_krb5_copy_ccache() functionAndreas Schneider2017-01-121-4/+129
| | | | | | | | This sets the default principal on the copied ccache if it hasn't been set yet. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* wscript: remove executable bits for all wscript* filesStefan Metzmacher2017-01-111-0/+0
| | | | | | | | | | These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
* auth/credentials: Always set the the realm if we set the principal from the ↵Andreas Schneider2017-01-101-3/+17
| | | | | | | | | | ccache This fixes a bug in gensec_gssapi_client_start() where an invalid realm is used to get a Kerberos ticket. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: remove const where we always return a talloc stringStefan Metzmacher2017-01-102-9/+9
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: Add missing error code check for MIT KerberosAndreas Schneider2016-12-241-1/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add NULL check to free_dccache()Andreas Schneider2016-12-201-2/+7
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add NULL check in free_mccache()Andreas Schneider2016-12-201-1/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Move function to free ccaches to the topAndreas Schneider2016-12-201-15/+15
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add talloc NULL check in cli_credentials_set_principal()Andreas Schneider2016-12-201-0/+4
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: change the parsing order of cli_credentials_parse_file()Stefan Metzmacher2016-12-201-5/+49
| | | | | | | | | | | | | | | | | | | We now first just remember the domain, realm, username, password values (the last value wins). At the end we call cli_credentials_set_{realm,domain,password}() followed by cli_credentials_parse_string() for 'username'. It means the last 'username' line beats the domain, realm or password lines, e.g.: username=USERDOMAIN\username domain=DOMAIN will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of DOMAIN. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: let cli_credentials_parse_file() handle 'username' with ↵Stefan Metzmacher2016-12-201-1/+1
| | | | | | | | | | | | | | | | cli_credentials_parse_string() Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file that looks like this: username=DOMAIN/username password=password domain=DOMAIN This change allows us to parse the same. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: let cli_credentials_parse_string() always reset principal ↵Stefan Metzmacher2016-12-201-1/+32
| | | | | | | | | | | | | | | and realm If we reset username we need to reset principal if it was set at the same level. If domain is reset we also need to use it as realm if realm was set at the same level. Otherwise we'd build a principal that belongs to a different user, which would not work and only increment the wrong lockout counter and result in wrong authorization tokens to be used. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: let cli_credentials_parse_string() always reset username ↵Stefan Metzmacher2016-12-201-0/+8
| | | | | | | | | | | and domain If cli_credentials_parse_string() is used we should no longer use any guessed values and need to make sure username and domain are reset if principal and realm are set. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: handle situations without a configured (default) realmStefan Metzmacher2016-12-201-9/+34
| | | | | | | | | | | | | | | | | | | | | | We should not have cli_credentials_get_realm() return "" without a configured (default) realm in smb.conf. Note that the existing tests with creds.get_realm() == lp.get("realm") also work with "" as string. At the same time we should never let cli_credentials_get_principal() return "@REALM.EXAMPLE.COM" nor "username@". If cli_credentials_parse_string() gets "OTHERDOMAIN\username" we must not use cli_credentials_get_realm() to generate a principal unless cli_credentials_get_domain() returns also "OTHERDOMAIN". What we need to do is using username@OTHERDOMAIN as principal, whild we still use cli_credentials_get_realm to get a default kdc, (which may route us to the correct kdc with WRONG_REALM messages). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: add python bindings for enum credentials_obtainedStefan Metzmacher2016-12-201-10/+17
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: add py_creds_parse_file()Stefan Metzmacher2016-12-201-0/+18
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the ↵Stefan Metzmacher2016-12-205-15/+135
| | | | | | | related logic Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() ↵Stefan Metzmacher2016-12-201-7/+20
| | | | | | | fails Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: make use of talloc_zero() in cli_credentials_init()Stefan Metzmacher2016-12-201-75/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: clear all unused blobs in cli_credentials_get_ntlm_response()Stefan Metzmacher2016-12-091-4/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: fix cut'n'paste error in ↵Stefan Metzmacher2016-12-091-1/+1
| | | | | | | cli_credentials_get_principal_and_obtained() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: let cli_credentials_parse_string() handle the "winbind ↵Stefan Metzmacher2016-12-092-1/+15
| | | | | | | separator" Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: make cli_credentials_get_ntlm_response() more robustStefan Metzmacher2016-11-151-73/+131
| | | | | | | | We always provide each output blob as it's own talloc memory and also check for talloc failures. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: anonymous should not have a user principalStefan Metzmacher2016-11-151-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status