summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* cli_credentials: add a helper to parse user or group namesAlexander Bokovoy2020-11-043-0/+75
| | | | | | | | | | | | | | | | | | | | | cli_credentials_parse_string() parses a string specified for -U option in command line tools. It has a side-effect that '%' character is always considered to be a separator after which a password is specified. Active Directory does allow to create user or group objects with '%' in the name. It means cli_credentials_parse_string() will not be able to properly parse such name. Introduce cli_credentials_parse_name() for the cases when a password is not expected in the name and call to cli_credentials_parse_name() from cli_credentials_parse_string(). Test cli_credentials_parse_name() with its intended use in lookup_name() refactoring. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* cli_credentials_parse_string: fix parsing of principalsAlexander Bokovoy2020-11-042-4/+3
| | | | | | | | | | | | | | | | | | | When parsing a principal-like name, user name was left with full principal instead of taking only the left part before '@' sign. >>> from samba import credentials >>> t = credentials.Credentials() >>> t.parse_string('admin@realm.test', credentials.SPECIFIED) >>> t.get_username() 'admin@realm.test' The issue is that cli_credentials_set_username() does a talloc_strdup() of the argument, so we need to change order of assignment to allow talloc_strdup() to copy the right part of the string. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds:tests: Migrate test to a cmocka unit testAndreas Schneider2020-11-032-0/+227
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth:creds: Rename CRED_USE_KERBEROS valuesAndreas Schneider2020-11-039-20/+26
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth:creds: Add cli_credentials_init_server()Andreas Schneider2020-09-072-0/+27
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:gensec: If Kerberos is required, keep schannel for machine account authStefan Metzmacher2020-09-071-0/+9
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Pass use_kerberos and keep_schannel to gensec_use_kerberos_mechs()Stefan Metzmacher2020-09-071-12/+14
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Make gensec_use_kerberos_mechs() a static functionStefan Metzmacher2020-09-072-6/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Add gensec_security_sasl_names()Stefan Metzmacher2020-09-072-0/+89
| | | | | | | Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* lib/util: remove extra safe_string.h fileMatthew DeVore2020-08-282-0/+4
| | | | | | | | | | | | | | | | | | lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
* auth:creds: Bump library versionAndreas Schneider2020-08-191-1/+1
| | | | | | | We added new functions so bump the version. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add python bindings for cli_credentials_set_conf()Andreas Schneider2020-08-191-0/+41
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add python bindings for (get|set)_smb_encryptionAndreas Schneider2020-08-191-0/+62
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add cli_credentials_(get|set)_smb_encryption()Andreas Schneider2020-08-193-0/+55
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add python bindings for (get|set)_smb_ipc_signingAndreas Schneider2020-08-191-0/+56
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()Andreas Schneider2020-08-193-0/+60
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add python bindings for (get|set)_smb_signingAndreas Schneider2020-08-191-0/+63
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Add cli_credentials_(get|set)_smb_signing()Andreas Schneider2020-08-193-0/+56
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Remove unused credentials autoproto headerAndreas Schneider2020-08-193-3/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds: Introduce CRED_SMB_CONFStefan Metzmacher2020-08-193-3/+5
| | | | | | | | We have several places where we check '> CRED_UNINITIALISED', so we better don't use CRED_UNINITIALISED for values from our smb.conf. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Fix a typoVolker Lendecke2020-08-171-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Aug 17 20:59:51 UTC 2020 on sn-devel-184
* gensec: Fix a typoVolker Lendecke2020-08-171-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Fix clang 9 missing-field-initializer warningsGary Lockyer2020-05-081-1/+1
| | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-05-041-1/+1
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* py3: Remove #define PyInt_FromLong PyLong_FromLongAndrew Bartlett2020-03-231-22/+22
| | | | | | | This allows us to end the use of Python 2/3 compatability macros. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power
* auth:ntlmssp: Mark as weak_cryptoAndreas Schneider2020-03-191-0/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Add a check if a gensec module implements weak cryptoAndreas Schneider2020-03-192-1/+13
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Test connecting to LDAP with a "virtual user" style accountAndrew Bartlett2020-02-141-1/+51
| | | | | | | | | | | This type of account is often used by e-mail hosting platforms that do not wish to create an AD domain for each DNS domain that they host mail for. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org>
* auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to ↵Stefan Metzmacher2020-02-101-2/+37
| | | | | | | | | | NT_STATUS_NO_SUCH_USER This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAINStefan Metzmacher2020-02-101-0/+3
| | | | | | | | | I think it's better to handle them in spnego.c, instead of squashing them already in the gssapi/gse modules. This is related to KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpersStefan Metzmacher2020-02-102-0/+95
| | | | | | | | This adds a generic way to get to the raw (verified) PAC and will be used in multiple places in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* pytests: heed assertEquals deprecation warning en-masseDouglas Bagnall2020-02-071-3/+3
| | | | | | | | | | | TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
* auth: Simplify struct auth4_contextVolker Lendecke2020-01-062-53/+6
| | | | | | | | | | | | The fake async code has been pushed down into the 3 users, remove the sync callback. Overall it's more lines of code, but the central interface is simplified. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jan 6 23:34:00 UTC 2020 on sn-devel-184
* smbdes: convert E_P24() and SMBOWFencrypt to use gnutlsIsaac Boukris2019-12-101-9/+22
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUSIsaac Boukris2019-12-102-8/+23
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:pycreds: Check return code of netlogon_creds_client_authenticator()Andreas Schneider2019-11-141-3/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* spnego: fix server handling of no optimistic exchangeIsaac Boukris2019-10-121-0/+13
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
* spnego: add client option to omit sending an optimistic tokenIsaac Boukris2019-10-121-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spnego: ignore server mech_types listIsaac Boukris2019-10-121-5/+26
| | | | | | | | | | | | | We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: fix AES schannel seal and unsealGünther Deschner2019-10-071-17/+30
| | | | | | | | | | | | | Workaround bug present in gnutls 3.6.8: gnutls_cipher_decrypt() uses an optimization internally that breaks decryption when processing buffers with their length not being a multiple of the blocksize. Signed-off-by: Stefan Metzmacher <metze@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: fix non-AES schannel sealGünther Deschner2019-10-071-0/+9
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Spelling fixes s/withing/within/Mathieu Parent2019-09-011-2/+2
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()Andrew Bartlett2019-08-211-12/+4
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()Andreas Schneider2019-08-211-1/+94
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannelAndrew Bartlett2019-08-211-9/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()Andreas Schneider2019-08-211-0/+40
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()Andrew Bartlett2019-08-211-7/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:ntlmssp: Use generate_random_buffer() for session keysAndreas Schneider2019-08-141-1/+1
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signingAndreas Schneider2019-07-262-43/+174
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp clientAndreas Schneider2019-07-261-1/+27
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status