summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth: let auth logging prefer user_info->orig_client.{account,domain}_name ↵Stefan Metzmacher2022-03-162-5/+17
| | | | | | | | | | | | | | | | | if available The optional user_info->orig_client.{account,domain}_name are the once really used by the client and should be used in audit logging. But we still fallback to user_info->client.{account,domain}_name. This will be important for the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 24b580cae23860a0fe6c9d3a285d60564057043d)
* s4:auth: rename user_info->mapped_state to user_info->cracknames_calledStefan Metzmacher2022-03-161-1/+1
| | | | | | | | | | | | | This makes it much clearer what it is used for and it is a special hack for authenticate_ldap_simple_bind_send() in order to avoid some additional work in authsam_check_password_internals(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 427125d182252d8aee3dd906ee34a909cdbb8ef3)
* auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_infoStefan Metzmacher2022-03-161-1/+0
| | | | | | | | | | | We already use talloc_zero() and mapped_state will be removed in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9a4ac8ab2e2c8ee48f6bf5a6ecf7988c435ba1c6)
* auth: Cope with NULL upn_name in PACJoseph Sutton2022-03-021-5/+7
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit ef95fb439237910b945b8d6a3ad4a140a8d6d1ea)
* auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE ↵Stefan Metzmacher2022-01-041-0/+8
| | | | | | | | | | | | parsing errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 4 20:57:41 UTC 2022 on sn-devel-184
* auth/credentials: cli_credentials_set_ntlm_response() pass session_keysStefan Metzmacher2022-01-043-9/+64
| | | | | | | | | | | | | Otherwise cli_credentials_get_ntlm_response() will return session keys with a 0 length, which leads to errors in the NTLMSSP code. This wasn't noticed as cli_credentials_set_ntlm_response() has no callers yet, but that will change in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Fix a typo in auth/gensec/ncalrpc.cVolker Lendecke2021-12-101-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Fix cli_credentials_shallow_ccache error caseStefan Metzmacher2021-12-091-3/+8
| | | | | | | Avoid dangling values if something fails... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* auth/credentials: Handle ENOENT when obtaining ccache lifetimeStefan Metzmacher2021-12-091-1/+1
| | | | | | | The new Heimdal may return ENOENT instead of KRB5_CC_END. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* IPA DC: add missing checksAlexander Bokovoy2021-11-131-0/+1
| | | | | | | | | | | | | | | When introducing FreeIPA support, two places were forgotten: - schannel gensec module needs to be aware of IPA DC - _lsa_QueryInfoPolicy should treat IPA DC as PDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
* auth:creds: Guess the username first via getpwuid(my_id)Andreas Schneider2021-11-101-0/+13
| | | | | | | | | | | | | If we have a container, we often don't have USER or LOGNAME set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883 Tested-by: Anoop C S <anoopcs@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Nov 10 19:11:53 UTC 2021 on sn-devel-184
* auth:creds: Remove trailing spacesAndreas Schneider2021-11-101-56/+56
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()Stefan Metzmacher2021-11-091-3/+6
| | | | | | | | | | We want to use this also in code without existing stackframe. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain ↵Stefan Metzmacher2021-11-091-4/+23
| | | | | | | | | | | | | | | | | | | mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set on the service account, which can only be explicitly configured, but that's an invalid configuration! We still try to support standalone servers in an MIT realm, as legacy setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [jsutton@samba.org Removed knownfail entries]
* CVE-2020-25717: auth/ntlmssp: start with authoritative = 1Stefan Metzmacher2021-11-091-1/+1
| | | | | | | | | | This is not strictly needed, but makes it easier to audit that we don't miss important places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25722 selftest: allow for future failures in ↵Andrew Bartlett2021-11-091-2/+11
| | | | | | | | | | | BindTests.test_virtual_email_account_style_bind This allows for any failures here to be handled via the knownfail system. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* dsdb: Allow special chars like "@" in samAccountName when generating the saltAndrew Bartlett2021-10-201-6/+6
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
* python: Fix usage stringsJoseph Sutton2021-09-041-1/+1
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:gensec: Use lpcfg_weak_crypto()Andreas Schneider2021-08-031-2/+3
| | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Remove unused simple.c fileAndreas Schneider2021-07-081-168/+0
| | | | | | | | This code is tested by the cmocka unit test: auth/credentials/tests/test_creds.c Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: allow credentials.Credentials to act as base classStefan Metzmacher2021-07-011-1/+1
| | | | | | | In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Check return code of cli_credentials_guess()Andreas Schneider2021-06-291-2/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Return bool for cli_credentials_guess()Andreas Schneider2021-06-293-15/+39
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add sanity check for env variablesAndreas Schneider2021-06-291-18/+45
| | | | | | | CID 710829 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Check return code of cli_credentials_set_conf()Andreas Schneider2021-06-291-2/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Return a bool for cli_credentials_set_conf()Andreas Schneider2021-06-293-18/+74
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Fix parameter in creds.set_named_ccache()Joseph Sutton2021-05-191-1/+2
| | | | | | | | | Use the passed-in value for 'obtained' rather than always using CRED_SPECIFIED. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:creds: Remove unused variableJoseph Sutton2021-05-191-3/+0
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:creds:tests: Add test for cli_credentials_get_password_and_obtained()Andreas Schneider2021-04-281-0/+6
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add cli_credentials_get_password_and_obtained()Andreas Schneider2021-04-282-0/+22
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_get_username_and_obtained()Andreas Schneider2021-04-281-0/+6
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add cli_credentials_get_username_and_obtained()Andreas Schneider2021-04-282-0/+22
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_set_gensec_features()Andreas Schneider2021-04-281-0/+27
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add obtained arg to cli_credentials_set_gensec_features()Andreas Schneider2021-04-284-6/+36
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use 'client protection' option for smb sign and encrypt defaultsAndreas Schneider2021-04-281-0/+30
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:param: Add 'client protection' config optionAndreas Schneider2021-04-281-0/+7
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_set_kerberos_state()Andreas Schneider2021-04-281-0/+42
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()Andreas Schneider2021-04-288-17/+44
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python: remove all 'from __future__ import print_function'Douglas Bagnall2021-04-281-1/+0
| | | | | | | | | | | | | | | | This made Python 2's print behave like Python 3's print(). In some cases, where we had: from __future__ import print_function """Intended module documentation...""" this will have the side effect of making the intended module documentation work as the actual module documentation (i.e. becoming __doc__), because it is once again the first statement in the module. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Slightly simplify gensec_generate_session_info_pac()Volker Lendecke2021-04-271-11/+19
| | | | | | | Reduce indentation by an early error return and by introducing a helper variable. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: Remove unneeded try/except syntaxJoseph Sutton2021-04-071-10/+4
| | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 7 10:24:17 UTC 2021 on sn-devel-184
* auth/credentials: Add test for binding with an extended canonical nameJoseph Sutton2021-04-071-0/+12
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: Add test for binding with a canonical nameJoseph Sutton2021-04-071-0/+9
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: Add test for binding with a domain SIDJoseph Sutton2021-04-071-1/+14
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* gensec: Remove gensec_security_all(), it was only used internallyVolker Lendecke2021-04-062-9/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:creds: Free the uname pointer in cli_credentials_parse_string()Andreas Schneider2021-03-241-0/+6
| | | | | | | | | | The data is duplicated and we don't need it anymore. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Mar 24 03:13:05 UTC 2021 on sn-devel-184
* auth:creds: Don't include credentials_internal.h twiceAndreas Schneider2021-03-241-1/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use our own cli_credentials_set_cmdline_callbacks()Andreas Schneider2021-03-242-3/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth:creds: Add command line function for standard password callbackAndreas Schneider2021-03-243-0/+79
| | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s4:lib:cmdline: Rename cli_credentials_set_cmdline_callbacks()Andreas Schneider2021-03-241-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
View Lorry Controller Status