summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth:creds: Prefer the principal over DOMAIN/username when using NTLMAndreas Schneider2019-04-091-1/+1
| | | | | | | | | | | | | | If we want to authenticate using -Wadmin@otherdomain the DC should do take care of the authentication with the right DC for us. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
* auth:ntlmssp: Add back CRAP ndr debug outputGuenther Deschner2019-04-091-0/+32
| | | | | | | | | | | | | This got lost somehow during refactoring. This is still viable information when trying to figure out what is going wrong when authenticating a user over NTLMSSP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
* audit_logging: Remove debug log header and JSON Authentication: prefixAndrew Bartlett2019-02-011-9/+4
| | | | | | | | | | | | | | | Feedback from real-world users is that they really want raw JSON strings in the log. We can not easily remove the leading " " but the other strings above and before the JSON are really annoying to strip back off BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> (cherry-picked from edab1318f9138c0d87de7cc7cfa5da8e29c906f8 and modified for v4-9 by Gary Lockyer)
* json: Modify API to use return codesGary Lockyer2019-02-011-84/+223
| | | | | | | | | | | | Modify the auditing JSON API to return a response code, as the consensus was that the existing error handling was aesthetically displeasing. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> cherry picked from commit 79f494e51eabb5176747fcf3b9f2efad10ec7f97 and adapted to compile on 4.9 by Gary Lockyer)
* audit_logging: auth_json_audit required auth_jsonGary Lockyer2019-01-141-2/+2
| | | | | | | | | | | | | | | | To log JSON the human-readable logs must also have been enabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=13715 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Dec 14 14:32:25 CET 2018 on sn-devel-144 (cherry picked from commit 31957c7fe9d0f67bef08177e982043a23b172c7d) Edited to apply to y4.9: Gary Lockyer <gary@catalyst.net.nz>
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Wed Sep 5 15:40:53 CEST 2018 on sn-devel-144
* build: Move --without-json-audit and json lib detection to lib/audit_loggingAndrew Bartlett2018-06-251-35/+0
| | | | | | | This is the common location of the audit logging code now Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* auth: For NTLM and KDC authentication, log the authentication durationAndrew Bartlett2018-06-252-1/+26
| | | | | | | | | | | | | | This is not a general purpose profiling solution, but these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other processes. This complements a similar patch set to log the transaction duration. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* lib audit_logging: re-factor and add functions.Gary Lockyer2018-06-011-20/+2
| | | | | | | | | Re-factor the common calls to json_dumps DEBUGC and audit_message_send into a separate function. Add functions to retrieve json object and json array elements Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Rename the json variablesGary Lockyer2018-05-161-16/+16
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: tidy up code formattingGary Lockyer2018-05-161-70/+76
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Use common code from audit_loggingGary Lockyer2018-05-162-415/+94
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a serverStefan Metzmacher2018-05-162-19/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
* auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal optionStefan Metzmacher2018-05-161-7/+17
| | | | | | | | | | | | This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: Make --with-json-audit the defaultAndrew Bartlett2018-05-151-4/+8
| | | | | | | | | | | | | | Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage. This means that those not wanting to link to libarchive will just need to build --without-json-audit. In general, we prefer that optional libraries be required by default so that they are not accidentially missed, particularly in packages. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/credentials/test: py2/py3 compat always decode result of b64encodeNoel Power2018-05-131-1/+1
| | | | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
* pycredentials: add py_creds_get_secure_channel_typeJoe Guo2018-05-121-0/+12
| | | | | | | | We have only set, need get. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* auth log: Log the unique session GUIDGary Lockyer2018-05-101-1/+25
| | | | | | | | | Log the unique_session_token GUID on successful Authorizations. This patch adds the "sessionID" attribute to the Authorization object and increments the version to 1.1 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp_client: correct spelling of responseDouglas Bagnall2018-05-051-1/+5
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/pycredentials: correct spelling of reponseDouglas Bagnall2018-05-051-1/+1
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* dbwrap: Remove calls to loadparmVolker Lendecke2018-04-241-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Call dbwrap_local_open with the correct tdb_flagsVolker Lendecke2018-04-241-2/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Call dbwrap_local_open with the correct hash sizeVolker Lendecke2018-04-241-4/+13
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: fix build without JSON audit supportBjörn Baumbach2018-04-201-1/+1
| | | | | Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org> Autobuild-Date(master): Fri Apr 20 21:12:33 CEST 2018 on sn-devel-144
* build: add option to choose to build with or without JSON audit supportBjörn Baumbach2018-04-182-16/+31
| | | | | | | | | | | | | | | Add a new configure option: --with-json-audit Build with JSON auth audit support (default=auto). This requires the jansson devel package. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): <bbaumbach@samba.org> Autobuild-Date(master): Wed Apr 18 15:25:42 CEST 2018 on sn-devel-144
* wscript_build: make sure we link extra-python versions of librariesNoel Power2018-04-131-1/+4
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* Check "auth event notification" param in log_jsonArvid Requate2018-04-121-2/+11
| | | | | | | | | | | | | | | | | | | | | When Samba is compiled with JSON support it logs an error message at log level 3 by default for every authentication event: get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND This patch adjusts the log_json function to consider the smb.conf parameter "auth event notification" before calling auth_message_send. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381 Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
* credentials: Fix CID 1414796 Explicit null dereferencedVolker Lendecke2018-04-111-0/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
* credentials: Fix line lengthVolker Lendecke2018-04-111-1/+3
| | | | | | | ... just because I'll modify that line in the next commit Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Revert "credentials: Fix CID 1414796 Explicit null dereferenced"Volker Lendecke2018-04-111-5/+0
| | | | | | | | | | This reverts commit 90c02ec64d0e3c860f8d6906cf849bdd2c7bcc54. We have code to take care of password==NULL, this CID must be fixed in a different way Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix a typoVolker Lendecke2018-04-051-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix CID 1414796 Explicit null dereferencedVolker Lendecke2018-04-051-0/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/credentials/test: convert print func to be py2/py3 compatibleNoel Power2018-03-231-5/+6
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/kerberos: Fix typo in error message regarding fetching PAC using HeimdalMatt Selsky2018-03-191-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311 Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: add auth_user_info_copy() functionStefan Metzmacher2018-03-152-0/+38
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* auth:credentials: Avoid an 'else' branchAndreas Schneider2018-03-011-3/+6
| | | | | | | | This moves the 'return' statement to the end of the 'case' and makes clear we leave here. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:credentials: Add FALL_THROUGH statements in credentials.cAndreas Schneider2018-03-011-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Add FALL_THROUGH statements in spnego.cAndreas Schneider2018-03-011-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:credentials: Add FALL_THROUGH statements in credentials_secrets.cAndreas Schneider2018-03-011-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/bind.py: Add a bind test with NTLMSSP with no domainGarming Sam2018-02-221-1/+25
| | | | | | | | | | Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* selftest: Require jansson support for selftest of the AD DCAndrew Bartlett2018-02-151-0/+9
| | | | | | | | This avoids this code becoming untested if a package is not installed or the configure test is accidentially broken. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* define DBGC_AUTH classkkplein2018-01-0819-0/+59
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials: Simplify cli_credentials_get_server_gss_creds()Andreas Schneider2018-01-031-9/+10
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144
* CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() ↵Stefan Metzmacher2017-09-201-0/+16
| | | | | | | | should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* cli_credentials: Apply some constVolker Lendecke2017-09-162-4/+6
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 16 12:28:17 CEST 2017 on sn-devel-144
* cli_credentials: Fix a typoVolker Lendecke2017-09-071-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 7 05:56:14 CEST 2017 on sn-devel-144
* cli_credentials: Fix a return valueVolker Lendecke2017-09-051-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Sep 5 23:06:42 CEST 2017 on sn-devel-144
* auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()Stefan Metzmacher2017-08-072-0/+75
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: merge ntlmssp_server_check_password() into ↵Stefan Metzmacher2017-08-071-48/+22
| | | | | | | ntlmssp_server_auth_send() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: introduce ntlmssp_server_auth_send/recvStefan Metzmacher2017-08-073-66/+81
| | | | | | | We still use the sync ntlmssp_server_check_password(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status