summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* lib:audit_logging: Add function to add flags to a JSON messageJoseph Sutton2023-05-181-14/+4
| | | | | | | | | This replaces a couple of calls to snprintf() in log_authentication_event_json() and log_successful_authz_event_json() respectively. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Fix leaksJoseph Sutton2023-05-181-13/+64
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Correct parameter order in headerJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove unnecessary return statementsJoseph Sutton2023-05-181-4/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Add set_nt_hash()Joseph Sutton2023-05-051-0/+33
| | | | | | | | | This method allows setting the NT hash directly. This is useful in cases where we don’t know the password, such as with a computer or server account. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Fix NULL dereferenceJoseph Sutton2023-05-051-0/+5
| | | | | | | We should not pass a NULL pointer to netlogon_creds_session_encrypt(). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Allow resetting bind DN on Credentials objectJoseph Sutton2023-05-051-1/+1
| | | | | | | Passing None into set_bind_dn() now resets it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Add ROLE_IPA_DC into two more placesAlexander Bokovoy2023-04-251-0/+1
| | | | | | | | | | Missed two more places originally when introduced ROLE_IPA_DC. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Tue Apr 25 07:46:36 UTC 2023 on atb-devel-224
* auth: Add cli_credentials_is_password_nt_hash()Andreas Schneider2023-04-052-0/+6
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove trailing white spaces in credentials_ntlm.cAndreas Schneider2023-04-051-14/+14
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove trailing white spaces in credentials.hAndreas Schneider2023-04-051-41/+41
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Fix code spellingAndreas Schneider2023-03-2815-20/+20
| | | | | | Best reviewed with: `git show --word-diff` Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Rowland Penny <rpenny@samba.org>
* auth: Clear EXTRA_SIDS flag if no Extra SIDs are presentJoseph Sutton2023-03-201-0/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Fix typosJoseph Sutton2023-03-031-3/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Fix off-by-one buffer writeJoseph Sutton2023-03-031-1/+1
| | | | | | | If p == pass + 127, assigning to '*++p' writes beyond the array. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Free empty SID arraysJoseph Sutton2023-02-081-1/+5
| | | | | | | | In the unlikely event that these arrays are empty, they can be freed early. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Discard non-base SIDs when creating SamInfo2Joseph Sutton2023-02-081-0/+6
| | | | | | | Our SamLogon tests are now all passing. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Correct primary group handlingJoseph Sutton2023-02-081-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Heretofore we have treated the primary group SID specially, storing it in a fixed position as the second element of the user_info_dc->sids array, and filtering out other copies in the PAC_LOGON_INFO base structure. This filtering has made it difficult to distinguish between the case where the primary group is a universal or global group, located in the base RIDs, and the case where it is a domain-local group, missing from the base RIDs; especially since the attributes of a domain-local primary group are lost by being stored in the PAC. Domain-local primary groups are normally disallowed by Windows, but are allowed by Samba, and so it is reasonable to support them with at least some measure of consistency. The second element of user_info_dc->sids is still reserved for the primary group's SID, but we no longer filter out any other copies in the array. The first two elements are no more than the SIDs of the user and the primary group respectively; and the remaining SIDs are as if taken without modification from arrays of SIDs in the PAC. user_info_dc->sids should therefore become a more faithful representation of the SIDs in the PAC. After adding resource SIDs to it with dsdb_expand_resource_groups(), we should have a result that more closely and in more cases matches that of Windows. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Make more liberal use of SID index constantsJoseph Sutton2023-02-083-8/+8
| | | | | | | | | | | Arrays of SIDs are handled not fully consistently throughout the codebase. Sometimes SIDs in the first and second positions represent a user and a primary group respectively; other times they don't mean anything in particular. Using these index constants in situations of the former sort can help to clarify our intent. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Shorten long SID flags combinationsJoseph Sutton2023-02-082-10/+4
| | | | | | | | | The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very commonly used, and introducing a shorter alias for it makes the code clearer. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add resource SID compressionJoseph Sutton2023-02-082-39/+267
| | | | | | | | | | | | | The domain-local groups that are added to the PAC of a service ticket are now, if the service doesn't disclaim support for SID compression, placed into the resource groups structure in PAC_LOGON_INFO. In a TGS exchange directed to a KDC, rather than to a service, the resource groups structure is simply copied into the updated PAC without any processing being done. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Pass through entire PAC flags value in auth_user_infoJoseph Sutton2023-02-081-6/+9
| | | | | | | | | | Besides the NETLOGON_GUEST bit indicating whether the user has been authenticated, we now carry all of the other bits as well. This lets us match Windows' behaviour of simply passing these bits through to an updated PAC when processing a TGS-REQ. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is setJoseph Sutton2023-02-081-2/+0
| | | | | | | | | | MS-PAC section 2.5 states that if the resource_groups member is non-NULL, or resource_groups.groups.count is not zero, the NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to process resource groups if the flag is not set. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove early return from make_user_info_dc_pac()Joseph Sutton2023-02-081-6/+1
| | | | | | | | | 'rg' is never NULL, so this codepath is never taken. But if it were, we would return early and entirely neglect filling in the UPN_DNS_INFO from the 'pac_upn_dns_info' parameter. So remove the early return. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Exclude resource groups from a TGTJoseph Sutton2023-02-082-3/+31
| | | | | | | | | | Resource group SIDs should only be placed into a service ticket, but we were including them in all tickets. Now that we have access to the group attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if we're creating a TGT. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Store group attributes in auth_user_info_dcJoseph Sutton2023-02-081-24/+35
| | | | | | | | | | | | | | | | Group expansion, performed in dsdb_expand_nested_groups(), now incorporates a check of the type of each group. Those that are resource groups receive the SE_GROUP_RESOURCE bit in the attributes which are now carried alongside each group SID. Whereas before, in auth_convert_user_info_dc_sambaseinfo() and auth_convert_user_info_dc_saminfo6(), we invariantly used the flag combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct attributes from user_info_dc. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Fix unitialized dataPavel Filipenský2023-02-061-1/+3
| | | | | | | | Fixing Red Hat internal covscan report: Field "salt_data.magic" is uninitialized when calling "smb_krb5_create_key_from_string". Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/credentials: Fix trailing whitespacesPavel Filipenský2023-02-061-44/+44
| | | | | Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/creds: fix a typo in a commentBjörn Baumbach2023-01-171-1/+1
| | | | | Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Ralph Boehme <slow@samba.org>
* build: Remove unused dependenciesJoseph Sutton2022-11-081-1/+1
| | | | | | | | We don't need to include these any more, and removing them allows us to simplify the build system for system Heimdal builds. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and ↵Joseph Sutton2022-07-272-2/+2
| | | | | | | | | | | | | | auth_session_info This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: Add get_aes256_key()Joseph Sutton2022-06-261-0/+56
| | | | | | | | | This makes it possible to generate AES256 keys in Python from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Add cli_credentials_get_aes256_key()Joseph Sutton2022-06-262-0/+70
| | | | | | | | This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth: For LDAP simple bind, fall back to checking the ↵Andrew Bartlett2022-06-261-0/+3
| | | | | | | | | | | | | | | ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored Since we don't store a salt per-key, but only a single salt, when we do not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spelling: connnect encrytion exisit expection explicit invalide missmatch ↵Michael Tokarev2022-06-101-2/+2
| | | | | | | | | | | | | | | | | | paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated Tree-wide spellcheck for some common misspellings. source3/utils/status.c has misspelled local variable (unkown_dialect). "missmatch" is a known historical misspelling, only the incorrect misspellings are fixed. source3/locale/net/de.po has the spelling error (unkown) in two msgids - it probably should be updated with current source. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/util: Change function to mem_equal_const_time()Joseph Sutton2022-06-094-13/+13
| | | | | | | | | | Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Use constant-time memcmp when comparing sensitive buffersJoseph Sutton2022-06-094-7/+7
| | | | | | | | | This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Covscan: unchecked return value for cli_credentials_set_smb_encryption()Pavel Filipenský2022-05-141-1/+1
| | | | | | Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth: Fix trailing whitespace in pycredentials.cPavel Filipenský2022-05-141-4/+4
| | | | | | Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: Add encrypt_samr_password()Joseph Sutton2022-03-181-1/+42
| | | | | | | | This method encrypts a samr_Password structure with the current session key, which allows for interactive SamLogon from Python. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Add required headers to auth_sam_reply.hAndreas Schneider2022-03-171-0/+4
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* auth: let auth logging prefer user_info->orig_client.{account,domain}_name ↵Stefan Metzmacher2022-03-102-5/+17
| | | | | | | | | | | | | | | | if available The optional user_info->orig_client.{account,domain}_name are the once really used by the client and should be used in audit logging. But we still fallback to user_info->client.{account,domain}_name. This will be important for the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: rename user_info->mapped_state to user_info->cracknames_calledStefan Metzmacher2022-03-101-1/+1
| | | | | | | | | | | | This makes it much clearer what it is used for and it is a special hack for authenticate_ldap_simple_bind_send() in order to avoid some additional work in authsam_check_password_internals(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_infoStefan Metzmacher2022-03-101-1/+0
| | | | | | | | | | We already use talloc_zero() and mapped_state will be removed in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Cope with NULL upn_name in PACJoseph Sutton2022-03-011-5/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE ↵Stefan Metzmacher2022-01-041-0/+8
| | | | | | | | | | | | parsing errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 4 20:57:41 UTC 2022 on sn-devel-184
* auth/credentials: cli_credentials_set_ntlm_response() pass session_keysStefan Metzmacher2022-01-043-9/+64
| | | | | | | | | | | | | Otherwise cli_credentials_get_ntlm_response() will return session keys with a 0 length, which leads to errors in the NTLMSSP code. This wasn't noticed as cli_credentials_set_ntlm_response() has no callers yet, but that will change in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Fix a typo in auth/gensec/ncalrpc.cVolker Lendecke2021-12-101-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Fix cli_credentials_shallow_ccache error caseStefan Metzmacher2021-12-091-3/+8
| | | | | | | Avoid dangling values if something fails... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* auth/credentials: Handle ENOENT when obtaining ccache lifetimeStefan Metzmacher2021-12-091-1/+1
| | | | | | | The new Heimdal may return ENOENT instead of KRB5_CC_END. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
View Lorry Controller Status