summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
...
* IPA DC: add missing checksAlexander Bokovoy2021-11-131-0/+1
| | | | | | | | | | | | | | | When introducing FreeIPA support, two places were forgotten: - schannel gensec module needs to be aware of IPA DC - _lsa_QueryInfoPolicy should treat IPA DC as PDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
* auth:creds: Guess the username first via getpwuid(my_id)Andreas Schneider2021-11-101-0/+13
| | | | | | | | | | | | | If we have a container, we often don't have USER or LOGNAME set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883 Tested-by: Anoop C S <anoopcs@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Nov 10 19:11:53 UTC 2021 on sn-devel-184
* auth:creds: Remove trailing spacesAndreas Schneider2021-11-101-56/+56
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()Stefan Metzmacher2021-11-091-3/+6
| | | | | | | | | | We want to use this also in code without existing stackframe. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain ↵Stefan Metzmacher2021-11-091-4/+23
| | | | | | | | | | | | | | | | | | | mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set on the service account, which can only be explicitly configured, but that's an invalid configuration! We still try to support standalone servers in an MIT realm, as legacy setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [jsutton@samba.org Removed knownfail entries]
* CVE-2020-25717: auth/ntlmssp: start with authoritative = 1Stefan Metzmacher2021-11-091-1/+1
| | | | | | | | | | This is not strictly needed, but makes it easier to audit that we don't miss important places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25722 selftest: allow for future failures in ↵Andrew Bartlett2021-11-091-2/+11
| | | | | | | | | | | BindTests.test_virtual_email_account_style_bind This allows for any failures here to be handled via the knownfail system. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* dsdb: Allow special chars like "@" in samAccountName when generating the saltAndrew Bartlett2021-10-201-6/+6
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
* python: Fix usage stringsJoseph Sutton2021-09-041-1/+1
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:gensec: Use lpcfg_weak_crypto()Andreas Schneider2021-08-031-2/+3
| | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Remove unused simple.c fileAndreas Schneider2021-07-081-168/+0
| | | | | | | | This code is tested by the cmocka unit test: auth/credentials/tests/test_creds.c Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: allow credentials.Credentials to act as base classStefan Metzmacher2021-07-011-1/+1
| | | | | | | In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Check return code of cli_credentials_guess()Andreas Schneider2021-06-291-2/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Return bool for cli_credentials_guess()Andreas Schneider2021-06-293-15/+39
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add sanity check for env variablesAndreas Schneider2021-06-291-18/+45
| | | | | | | CID 710829 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Check return code of cli_credentials_set_conf()Andreas Schneider2021-06-291-2/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Return a bool for cli_credentials_set_conf()Andreas Schneider2021-06-293-18/+74
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Fix parameter in creds.set_named_ccache()Joseph Sutton2021-05-191-1/+2
| | | | | | | | | Use the passed-in value for 'obtained' rather than always using CRED_SPECIFIED. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:creds: Remove unused variableJoseph Sutton2021-05-191-3/+0
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:creds:tests: Add test for cli_credentials_get_password_and_obtained()Andreas Schneider2021-04-281-0/+6
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add cli_credentials_get_password_and_obtained()Andreas Schneider2021-04-282-0/+22
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_get_username_and_obtained()Andreas Schneider2021-04-281-0/+6
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add cli_credentials_get_username_and_obtained()Andreas Schneider2021-04-282-0/+22
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_set_gensec_features()Andreas Schneider2021-04-281-0/+27
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add obtained arg to cli_credentials_set_gensec_features()Andreas Schneider2021-04-284-6/+36
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use 'client protection' option for smb sign and encrypt defaultsAndreas Schneider2021-04-281-0/+30
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:param: Add 'client protection' config optionAndreas Schneider2021-04-281-0/+7
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds:tests: Add test for cli_credentials_set_kerberos_state()Andreas Schneider2021-04-281-0/+42
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()Andreas Schneider2021-04-288-17/+44
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python: remove all 'from __future__ import print_function'Douglas Bagnall2021-04-281-1/+0
| | | | | | | | | | | | | | | | This made Python 2's print behave like Python 3's print(). In some cases, where we had: from __future__ import print_function """Intended module documentation...""" this will have the side effect of making the intended module documentation work as the actual module documentation (i.e. becoming __doc__), because it is once again the first statement in the module. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Slightly simplify gensec_generate_session_info_pac()Volker Lendecke2021-04-271-11/+19
| | | | | | | Reduce indentation by an early error return and by introducing a helper variable. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: Remove unneeded try/except syntaxJoseph Sutton2021-04-071-10/+4
| | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 7 10:24:17 UTC 2021 on sn-devel-184
* auth/credentials: Add test for binding with an extended canonical nameJoseph Sutton2021-04-071-0/+12
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: Add test for binding with a canonical nameJoseph Sutton2021-04-071-0/+9
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: Add test for binding with a domain SIDJoseph Sutton2021-04-071-1/+14
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* gensec: Remove gensec_security_all(), it was only used internallyVolker Lendecke2021-04-062-9/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:creds: Free the uname pointer in cli_credentials_parse_string()Andreas Schneider2021-03-241-0/+6
| | | | | | | | | | The data is duplicated and we don't need it anymore. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Mar 24 03:13:05 UTC 2021 on sn-devel-184
* auth:creds: Don't include credentials_internal.h twiceAndreas Schneider2021-03-241-1/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use our own cli_credentials_set_cmdline_callbacks()Andreas Schneider2021-03-242-3/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth:creds: Add command line function for standard password callbackAndreas Schneider2021-03-243-0/+79
| | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s4:lib:cmdline: Rename cli_credentials_set_cmdline_callbacks()Andreas Schneider2021-03-241-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth:creds: Add cli_credentials_dump()Andreas Schneider2020-12-163-0/+166
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <noel.power@suse.com> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 16 13:56:49 UTC 2020 on sn-devel-184
* auth: Align an integer typeVolker Lendecke2020-11-101-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Revert "cli_credentials: add a helper to parse user or group names"Alexander Bokovoy2020-11-053-75/+0
| | | | This reverts commit 00f4262ed0b22f6e333e5a29c5590b62c783905c.
* Revert "cli_credentials_parse_string: fix parsing of principals"Alexander Bokovoy2020-11-052-3/+4
| | | | This reverts commit eb0474d27bae4592b25ac6bf600da29c6a1cb9f8.
* cli_credentials: add a helper to parse user or group namesAlexander Bokovoy2020-11-043-0/+75
| | | | | | | | | | | | | | | | | | | | | cli_credentials_parse_string() parses a string specified for -U option in command line tools. It has a side-effect that '%' character is always considered to be a separator after which a password is specified. Active Directory does allow to create user or group objects with '%' in the name. It means cli_credentials_parse_string() will not be able to properly parse such name. Introduce cli_credentials_parse_name() for the cases when a password is not expected in the name and call to cli_credentials_parse_name() from cli_credentials_parse_string(). Test cli_credentials_parse_name() with its intended use in lookup_name() refactoring. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* cli_credentials_parse_string: fix parsing of principalsAlexander Bokovoy2020-11-042-4/+3
| | | | | | | | | | | | | | | | | | | When parsing a principal-like name, user name was left with full principal instead of taking only the left part before '@' sign. >>> from samba import credentials >>> t = credentials.Credentials() >>> t.parse_string('admin@realm.test', credentials.SPECIFIED) >>> t.get_username() 'admin@realm.test' The issue is that cli_credentials_set_username() does a talloc_strdup() of the argument, so we need to change order of assignment to allow talloc_strdup() to copy the right part of the string. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth:creds:tests: Migrate test to a cmocka unit testAndreas Schneider2020-11-032-0/+227
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth:creds: Rename CRED_USE_KERBEROS valuesAndreas Schneider2020-11-039-20/+26
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth:creds: Add cli_credentials_init_server()Andreas Schneider2020-09-072-0/+27
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status