summaryrefslogtreecommitdiff
path: root/auth/kerberos
Commit message (Collapse)AuthorAgeFilesLines
* auth/kerberos: Fix typo in error message regarding fetching PAC using HeimdalMatt Selsky2018-03-191-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311 Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* define DBGC_AUTH classkkplein2018-01-083-0/+11
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* wscript: remove executable bits for all wscript* filesStefan Metzmacher2017-01-111-0/+0
| | | | | | | | | | These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
* CVE-2016-2126: auth/kerberos: only allow known checksum types in ↵Stefan Metzmacher2016-12-201-0/+22
| | | | | | | | | | | | | | | check_pac_checksum() aes based checksums can only be checked with the corresponding aes based keytype. Otherwise we may trigger an undefined code path deep in the kerberos libraries, which can leed to segmentation faults. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* mit: make it possible to build with MIT kerberos and --picky-developerGünther Deschner2016-09-291-1/+2
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* gensec: Change log level for message when obtaining PAC from ↵Christof Schmitt2016-07-061-6/+4
| | | | | | | | | | | | | | | | | gss_get_name_attribute failed This is the second part for the issue from commit 8bb4fccd. A KDC that does not return a PAC first triggers this message, then the "resorting to local user lookup" one. Change the log level for the "obtaining PAC via GSSAPI gss_get_name_attribute" message as well to avoid spamming the logs during normal usage. While changing this message, also remove the discard_const since it is no longer required. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 6 04:27:03 CEST 2016 on sn-devel-144
* auth: fix a memory leak in gssapi_get_session_key()Uri Simchoni2016-07-061-6/+1
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006 Signed-off-by: Uri Simchoni <uri@samba.org> Signed-off-by: Richard Sharpe <rsharpe@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Richard Sharpe <sharpe@samba.org> Autobuild-Date(master): Wed Jul 6 00:40:15 CEST 2016 on sn-devel-144
* auth: Fix picky const warnings in gssapi_pacAndreas Schneider2015-11-231-2/+10
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/kerberos: add gssapi_get_sig_size() and ↵Stefan Metzmacher2015-06-243-1/+451
| | | | | | | | | | gssapi_{seal,unseal,sign,check}_packet() helper functions These make use of gss_[un]wrap_iov[_length]() where required and support header signing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: remove allow_warnings=TrueStefan Metzmacher2015-03-201-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/kerberos: avoid compiler warningsStefan Metzmacher2015-03-201-4/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/kerberos: Do a string comparison in kerberos_decode_pac() not a ↵Andrew Bartlett2015-03-121-11/+12
| | | | | | | | | | | | | | | | | | | | principal comparison This ensures that if an enterprise principal is used, we do the comparison properly This matters as in the enterprise case, which can be triggered by MIT kinit -E, does not use canonicalization, and so the enterprise name, with the @ in it, is in the logon name. Otherwise, we get errors like: Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/kerberos: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: fix a typo.Günther Deschner2014-03-121-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/kerberos: add HAVE_KRB5 guard to fix non-krb5 build after winbindd pac ↵Andrew Bartlett2012-09-221-0/+3
| | | | | | | changes Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
* auth/kerberos: Adjust log level for failed PAC signature verificationChristof Schmitt2012-09-201-1/+1
| | | | | | | | With winbindd trying to verify the signature of an application provided PAC, this message can be easily triggered. Adjust the debug level to avoid filling up the logs. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: Do not do pointer arithmatic on a void *Andrew Bartlett2012-07-301-1/+1
| | | | | | Found with -Werror=pointer-arith Andrew Bartlett
* auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2012-07-062-0/+47
| | | | | | | | Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()Alexander Bokovoy2012-06-061-2/+18
| | | | | | | | | | | | | | gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-1/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-252-1/+2
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* Make krb5 wrapper library common so they can be used all overSimo Sorce2012-04-233-4/+55
|
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-124-11/+78
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Make functions static.Simo Sorce2012-04-123-100/+2
| | | | | | | The remaining gssapi_parse functions were used exclusively in gensec_krb5. Move them there and make them static. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Use simpler method to extract keytype.Simo Sorce2012-04-121-19/+12
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-121-20/+0
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key typeAndrew Bartlett2012-03-081-4/+23
| | | | | | | | | | The key type OID is optional, but we require that information to determine if we should use NEW_SPNEGO. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
* auth/kerberos: Ensure we do not print invalid memory in failure caseAndrew Bartlett2012-03-081-4/+1
| | | | | | This codeblock may not have any set->elements, so we should not print them. Copy&paste in the original code. Andrew Bartlett
* auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett2012-02-171-0/+113
| | | | | | | | | gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
* auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett2012-01-121-6/+3
|
* auth/kerberos: Remove unused headers from gssapi_parse.cAndrew Bartlett2012-01-111-2/+0
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/kerberos: Rename memory contexts for greater clarityAndrew Bartlett2011-12-291-34/+34
| | | | | | | | This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
* auth/kerberos: Make pac_data_out in kerberos_decode_pac() optionalAndrew Bartlett2011-12-291-3/+32
|
* auth/kerberos: Move gssapi_parse.c to the top levelAndrew Bartlett2011-12-282-2/+121
| | | | | | This will help with writing a gensec module for the s3 gse layer. Andrew Bartlett
* Add missing com_err dependenciesEwoud Kohl van Wijngaarden2011-10-061-1/+1
| | | | | | | Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Oct 6 02:10:21 CEST 2011 on sn-devel-104
* auth/kerberos/gssapi_pac: fix compiler warningsStefan Metzmacher2011-06-151-6/+5
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
* Fix Samba3 on OpenIndiana.Gordon Ross2011-05-071-0/+24
| | | | | | | | | | | I'd like Samba to use the native OpenLDAP and MIT Kerberos libs. Attached are some patches to do that. (relative to git master) It does not build for me without these. (OpenIndiana is an off-shoot of OpenSolaris See http://www.openindiana.org) Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat May 7 02:20:14 CEST 2011 on sn-devel-104
* auth/kerberos Add check for gss_inquire_sec_context_by_oidAndrew Bartlett2011-04-271-4/+10
| | | | | | | | | Not all kerberos distributions have this function. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
* auth/kerberos Move all the PAC handling functions to auth/kerberosAndrew Bartlett2011-04-272-1/+365
|
* auth/kerberos: Create common helper to get the verified PAC from GSSAPIAndrew Bartlett2011-04-272-0/+126
This only works for Heimdal and MIT Krb5 1.8, other versions will get an ACCESS_DEINED error. We no longer manually verify any details of the PAC in Samba for GSSAPI logins, as we never had the information to do it properly, and it is better to have the GSSAPI library handle it. Andrew Bartlett
View Lorry Controller Status