summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()Volker Lendecke2018-11-281-3/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Remove an unnecessary talloc_steal()Volker Lendecke2018-11-281-1/+0
| | | | | | | ccc was already allocated off cred, this talloc_steal was a no-op. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix set_ccache with empty creds cacheVolker Lendecke2018-11-281-6/+7
| | | | | | | | | This is an extension of bb2f7e3aee7e9b8: Without this fix in the "empty ccache" case we never set cred->ccache, so the whole call to cli_credentials_set_ccache became pointless Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix an error path memleakVolker Lendecke2018-11-281-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Only do shallow copies of valid ccachesVolker Lendecke2018-11-281-0/+14
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Use dom_sid_str_bufVolker Lendecke2018-11-021-6/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Use dom_sid_str_bufVolker Lendecke2018-11-021-3/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/cred/tests/bind: remove unused importDouglas Bagnall2018-10-251-1/+0
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
* auth: move copy_session_info() from source3 into the global auth contextBjörn Baumbach2018-10-113-2/+105
| | | | | Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Volker Lendecke <vl@samba.org>
* auth: Use the zlib version of crc32Volker Lendecke2018-10-092-3/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: Multi-line depsVolker Lendecke2018-10-091-1/+8
| | | | | | | We'll add one in the next commit Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* PY3: fix "TabError: inconsistent use of tabs and spaces"Noel Power2018-09-271-5/+5
| | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: py2/py3 credential key needs to return bytesNoel Power2018-09-051-1/+1
| | | | | | | | | | new_client_authenticator returns a dictionary. The key 'credential' needs to return bytes in Python3, without this change the the code will attempt to convert the binary data to a string (resulting sometimes in decode errors). Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
* PEP8: fix E305: expected 2 blank lines after class or function definition, ↵Joe Guo2018-08-241-0/+1
| | | | | | | | found 1 Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* PEP8: fix E302: expected 2 blank lines, found 1Joe Guo2018-08-241-0/+1
| | | | | | Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* PEP8: fix E128: continuation line under-indented for visual indentJoe Guo2018-08-241-1/+1
| | | | | | Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* PEP8: fix E127: continuation line over-indented for visual indentJoe Guo2018-08-241-4/+4
| | | | | | Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* json: Modify API to use return codesGary Lockyer2018-07-251-84/+223
| | | | | | | | | Modify the auditing JSON API to return a response code, as the consensus was that the existing error handling was aesthetically displeasing. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: Move --without-json-audit and json lib detection to lib/audit_loggingAndrew Bartlett2018-06-251-35/+0
| | | | | | | This is the common location of the audit logging code now Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* auth: For NTLM and KDC authentication, log the authentication durationAndrew Bartlett2018-06-252-1/+26
| | | | | | | | | | | | | | This is not a general purpose profiling solution, but these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other processes. This complements a similar patch set to log the transaction duration. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* lib audit_logging: re-factor and add functions.Gary Lockyer2018-06-011-20/+2
| | | | | | | | | Re-factor the common calls to json_dumps DEBUGC and audit_message_send into a separate function. Add functions to retrieve json object and json array elements Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Rename the json variablesGary Lockyer2018-05-161-16/+16
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: tidy up code formattingGary Lockyer2018-05-161-70/+76
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Use common code from audit_loggingGary Lockyer2018-05-162-415/+94
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a serverStefan Metzmacher2018-05-162-19/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
* auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal optionStefan Metzmacher2018-05-161-7/+17
| | | | | | | | | | | | This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: Make --with-json-audit the defaultAndrew Bartlett2018-05-151-4/+8
| | | | | | | | | | | | | | Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage. This means that those not wanting to link to libarchive will just need to build --without-json-audit. In general, we prefer that optional libraries be required by default so that they are not accidentially missed, particularly in packages. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/credentials/test: py2/py3 compat always decode result of b64encodeNoel Power2018-05-131-1/+1
| | | | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
* pycredentials: add py_creds_get_secure_channel_typeJoe Guo2018-05-121-0/+12
| | | | | | | | We have only set, need get. Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* auth log: Log the unique session GUIDGary Lockyer2018-05-101-1/+25
| | | | | | | | | Log the unique_session_token GUID on successful Authorizations. This patch adds the "sessionID" attribute to the Authorization object and increments the version to 1.1 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp_client: correct spelling of responseDouglas Bagnall2018-05-051-1/+5
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/pycredentials: correct spelling of reponseDouglas Bagnall2018-05-051-1/+1
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* dbwrap: Remove calls to loadparmVolker Lendecke2018-04-241-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Call dbwrap_local_open with the correct tdb_flagsVolker Lendecke2018-04-241-2/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Call dbwrap_local_open with the correct hash sizeVolker Lendecke2018-04-241-4/+13
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: fix build without JSON audit supportBjörn Baumbach2018-04-201-1/+1
| | | | | Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org> Autobuild-Date(master): Fri Apr 20 21:12:33 CEST 2018 on sn-devel-144
* build: add option to choose to build with or without JSON audit supportBjörn Baumbach2018-04-182-16/+31
| | | | | | | | | | | | | | | Add a new configure option: --with-json-audit Build with JSON auth audit support (default=auto). This requires the jansson devel package. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): <bbaumbach@samba.org> Autobuild-Date(master): Wed Apr 18 15:25:42 CEST 2018 on sn-devel-144
* wscript_build: make sure we link extra-python versions of librariesNoel Power2018-04-131-1/+4
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* Check "auth event notification" param in log_jsonArvid Requate2018-04-121-2/+11
| | | | | | | | | | | | | | | | | | | | | When Samba is compiled with JSON support it logs an error message at log level 3 by default for every authentication event: get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND This patch adjusts the log_json function to consider the smb.conf parameter "auth event notification" before calling auth_message_send. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381 Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
* credentials: Fix CID 1414796 Explicit null dereferencedVolker Lendecke2018-04-111-0/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
* credentials: Fix line lengthVolker Lendecke2018-04-111-1/+3
| | | | | | | ... just because I'll modify that line in the next commit Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Revert "credentials: Fix CID 1414796 Explicit null dereferenced"Volker Lendecke2018-04-111-5/+0
| | | | | | | | | | This reverts commit 90c02ec64d0e3c860f8d6906cf849bdd2c7bcc54. We have code to take care of password==NULL, this CID must be fixed in a different way Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix a typoVolker Lendecke2018-04-051-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix CID 1414796 Explicit null dereferencedVolker Lendecke2018-04-051-0/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/credentials/test: convert print func to be py2/py3 compatibleNoel Power2018-03-231-5/+6
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/kerberos: Fix typo in error message regarding fetching PAC using HeimdalMatt Selsky2018-03-191-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311 Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: add auth_user_info_copy() functionStefan Metzmacher2018-03-152-0/+38
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* auth:credentials: Avoid an 'else' branchAndreas Schneider2018-03-011-3/+6
| | | | | | | | This moves the 'return' statement to the end of the 'case' and makes clear we leave here. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:credentials: Add FALL_THROUGH statements in credentials.cAndreas Schneider2018-03-011-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status