summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth/credentials: anonymous should not try to use kerberosStefan Metzmacher2015-07-031-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is neededAndreas Schneider2015-06-241-1/+9
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
* auth/kerberos: add gssapi_get_sig_size() and ↵Stefan Metzmacher2015-06-243-1/+451
| | | | | | | | | | gssapi_{seal,unseal,sign,check}_packet() helper functions These make use of gss_[un]wrap_iov[_length]() where required and support header signing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: remove unused gensec_[un]wrap_packets() hooksStefan Metzmacher2015-06-235-206/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL ↵Stefan Metzmacher2015-06-231-0/+6
| | | | | | | | | | | | | | | before starting We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given auth_level and should not have GENSEC_FEATURE_SEAL if DCERPC_AUTH_LEVEL_INTEGRITY is desired. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: gensec_[un]seal_packet() should only work with ↵Stefan Metzmacher2015-06-231-0/+14
| | | | | | | | | | | | GENSEC_FEATURE_DCE_STYLE gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if GENSEC_FEATURE_SEAL is negotiated. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of ↵Stefan Metzmacher2015-06-231-3/+2
| | | | | | | | | SAMBA4_USES_HEIMDAL Newer MIT versions also have this. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* dcerpc: NULL pointer deref crash in handling rpc request.Jeremy Allison2015-06-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature(). Codenomicon found a code path that allows the client to send a request that calls into this function without ever having set up security. So call->conn->auth_state.gensec_security exists (gensec has been initialized when the RPC pipe is set up) but call->conn->auth_state.gensec_security->ops has not been initialized. We dereference the NULL pointer and crash. An alternate way to fix this would be to create a new public bool gensec_initialized(() function and call that inside dcesrv_request() instead of doing a null check on call->conn->auth_state.gensec_security, but that's a more invasive fix we can add later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth: Make sure error_string is not used uninitializedAndreas Schneider2015-05-191-5/+8
| | | | | | | | Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue May 19 13:42:32 CEST 2015 on sn-devel-104
* auth/kerberos: remove allow_warnings=TrueStefan Metzmacher2015-03-201-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/kerberos: avoid compiler warningsStefan Metzmacher2015-03-201-4/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: Add talloc and samba-debug dep for gensec_external moduleAndrew Bartlett2015-03-191-0/+1
| | | | | | | | | | On a host without a talloc.h, this caused the build to fail Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Mar 19 18:01:09 CET 2015 on sn-devel-104
* s4: lib: auth: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers ↵Jeremy Allison2015-03-191-4/+36
| | | | | | | | | | | that don't send the 2 unused fields. Packet traces showing such servers are found in the bug this fixes: https://bugzilla.samba.org/show_bug.cgi?id=10016 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* auth/credentials: add cli_credentials_set_old_utf16_password()Stefan Metzmacher2015-03-122-0/+49
| | | | | | | This is required to set the previous trust account password. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()Stefan Metzmacher2015-03-124-0/+64
| | | | | | | | The machine and trust accounts it's important to retry netr_Authenticate3() with the previous (old) nt_hash. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()Stefan Metzmacher2015-03-121-0/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/kerberos: Do a string comparison in kerberos_decode_pac() not a ↵Andrew Bartlett2015-03-121-11/+12
| | | | | | | | | | | | | | | | | | | | principal comparison This ensures that if an enterprise principal is used, we do the comparison properly This matters as in the enterprise case, which can be triggered by MIT kinit -E, does not use canonicalization, and so the enterprise name, with the @ in it, is in the logon name. Otherwise, we get errors like: Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* Fix the O3 developer buildVolker Lendecke2015-03-031-2/+4
| | | | | | | | | | Different gcc versions complain at different places Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
* auth/credentials_krb5: fix memory leak in ↵Günther Deschner2015-01-261-0/+2
| | | | | | | | | | | | cli_credentials_failed_kerberos_login(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104
* auth/credentials: add cli_credentials_set_utf16_password()Stefan Metzmacher2014-12-193-6/+65
| | | | | | | | | | | | | | We need a way to initialize the cli_credentials from the raw utf16 blob, which might not be completely valid utf16, which means the conversion from CH_UTF16MUNGED to CH_UTF8 might loose information. This would result in an invalid nt_hash, when we convert back from CH_UTF8 to CH_UTF16LE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()Stefan Metzmacher2014-12-191-17/+10
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if requiredStefan Metzmacher2014-12-191-0/+8
| | | | | | | | | | | | | Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL backend arround, this can only be specified explicitely by the caller and cli_credentials_get_netlogon_creds() != NULL is the strong indication that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*. With trusts against AD domain we can reliable use kerberos and netlogon secure channel for authentication. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials test: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-20/+14
| | | | | | Change-Id: I8970c66de9535cb8d48b17d88b2759b7d1e39cb8 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove unused imports.Jelmer Vernooij2014-11-191-7/+1
| | | | | | Change-Id: I8915f62206edb53ffc2d89434e46d9e71db8bb9a Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: add missing includes to auth/wbc_auth_util.cStefan Metzmacher2014-11-141-0/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/credentials: Ensure that we set the realm when reading secrets.tdbAndrew Bartlett2014-10-171-0/+3
| | | | | | | | | | Otherwise, we try and kinit as host$@DOMAIN and that will not work. Andrew Bartlett Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Allow the secret.tdb handle to be passed in to ↵Andrew Bartlett2014-10-172-13/+64
| | | | | | | | | | | | cli_credentials_set_machine_account() This adds a new wrapper, cli_credentials_set_machine_account_db_ctx() Andrew Bartlett Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Improve error message on failure to set machine account passwordAndrew Bartlett2014-10-171-4/+6
| | | | | | Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Set secure_channel_type from secrets.tdb in ↵Andrew Bartlett2014-10-171-0/+13
| | | | | | | | | | | | | cli_credentials_set_machine_account This should ensure more parts of the source4 code can work with a password set in secrets.tdb. Andrew Bartlett Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Allow the secrets.tdb password to be newer than the secrets.ldb ↵Andrew Bartlett2014-09-271-0/+2
| | | | | | | | password Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: gensec: asn1 fixes - check all returns.Jeremy Allison2014-09-261-5/+6
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
* auth/credentials_krb5: silence a build warning.Günther Deschner2014-08-081-0/+2
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials-krb5: use get_kerberos_allowed_etypes().Günther Deschner2014-08-081-6/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-1/+1
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-1/+5
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: avoid overwriting the auth_sam_reply.h header all the time.Günther Deschner2014-05-122-1/+8
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon May 12 17:49:46 CEST 2014 on sn-devel-104
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backendAndreas Schneider2014-04-242-0/+293
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: use auth_ctx->generate_session_info() for schannelStefan Metzmacher2014-04-241-3/+46
| | | | | | | | This way we generate a correct session info for the s3 rpc_server, including a unix token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top levelAndrew Bartlett2014-04-182-1/+226
| | | | | | | | | This allows auth_winbind in source4 to use this more correct conversion routine. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Pass though error from GENSEC sub-mechanismAndrew Bartlett2014-04-021-1/+1
| | | | | | | | | | | This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/kerberos: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/tests: add missing #include "torture/local/proto.h"Stefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILUREStefan Metzmacher2014-03-271-1/+1
| | | | | | | | | | This is what NTLMSSP also gives. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-272-4/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make use of gensec_update_ev() in spnego.cStefan Metzmacher2014-03-271-8/+8
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add a gensec_update_ev() functionStefan Metzmacher2014-03-272-14/+27
| | | | | | | | | | | | | | This is the current gensec_update() which takes an optional tevent_context structure and allows semi-async code. This is just a temporary solution on the way to kill the semi-async code completely, by using gensec_update_send/recv. By providing a gensec_update_ev(), we can remove the explicit tevent_context from gensec_update() and fix all the sane callers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: fix gensec_update() with ev == NULL.Stefan Metzmacher2014-03-271-0/+32
| | | | | | | | | | | In future we should remove the tevent_context argument from gensec_update() completely! If we have sane backends we should also remove the tevent_loop_allow_nesting() call again! t Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/kerberos: fix a typo.Günther Deschner2014-03-121-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-3/+12
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status