summaryrefslogtreecommitdiff
path: root/source3/libads
Commit message (Collapse)AuthorAgeFilesLines
* libads: Fix the build --without-adsVolker Lendecke2018-04-201-0/+4
| | | | | | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Tue Feb 6 02:47:44 CET 2018 on sn-devel-144 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13273 (cherry picked from commit 859698d29b547217356851094ed8188236e717b6)
* s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't ↵Jeremy Allison2018-03-221-0/+9
| | | | | | | | | | | | | | | | | own it here. Thanks to Isaac Boukris <iboukris@gmail.com> for finding the issue and testing this fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144 (cherry picked from commit e7425bd5245ffea68b7e8f794c9b5f864d103769)
* s3:libads: net ads keytab list fails with "Key table name malformed"Noel Power2017-12-051-1/+5
| | | | | | | | | | | | When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open instead, this function will determine the correct keytab to use. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
* s3:libads: Fix changing passwords with KerberosAndreas Schneider2017-08-281-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> (cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
* s3:libads: make use of secrets_*_password_change() in ↵Stefan Metzmacher2017-06-271-16/+90
| | | | | | | | | ads_change_trust_account_password() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: move kerberos_secrets_*salt related functions to ↵Stefan Metzmacher2017-06-272-100/+0
| | | | | | | | | | | | machine_account_secrets.c These don't use any krb5_context related functions and they just work on secrets.tdb, so they really belong to machine_account_secrets.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()Stefan Metzmacher2017-06-272-10/+0
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ↵Stefan Metzmacher2017-06-271-6/+8
| | | | | | | | | ads_keytab_add_entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: provide a simpler kerberos_fetch_salt_princ() functionStefan Metzmacher2017-06-272-3/+9
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove kerberos_secrets_fetch_salting_principal() fallbackStefan Metzmacher2017-06-271-33/+4
| | | | | | | | | | | | | | | | | | The handling for per encryption type salts was removed in Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone has such an installation that got constantly upgraded over 10 years with an automatic password change nor rejoin. It also means that the KDC only has salt-less arcfour-hmac-md5 key together with the salted des keys. So there would only be a problem if the client whould try to use a des key to contact the smb server. Having this legacy code adds quite some complexity for no good reason. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove unused kerberos_secrets_store_salting_principal()Stefan Metzmacher2017-06-272-75/+0
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libads: Decide to have no fallback optionGarming Sam2017-05-301-0/+5
| | | | | | | | | | Before this change, it would always possibly choose another server at random despite later using the original principal when it got back to the connection initialization in the the winbind connection manager. This caused bizarre authentication failures. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libads: Check cldap flags in libads/ldapGarming Sam2017-05-303-1/+52
| | | | | | | | Pass down request flags and check they are respected with the response flags. Otherwise, error out and pretend the connection never happened. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libads: abstract out SASL wrapping codeAlexander Bokovoy2017-05-175-180/+207
| | | | | | | | | | | | | | Prepare for rebasing libads on top of libsmbldap. To make libads using 'struct smbldap_state' instead of direct LDAP structure, we need to abstract out libads logic from connection handling. SASL wrapping does not really depend on availability of LDAP handle and does not need direct access to ADS_STRUCT. As result, we'll be able to move SASL wrapping code under smbldap once the latter is able to pass settings that libads passes to the SASL wrapping. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Add logging of service authorizationAndrew Bartlett2017-03-291-0/+3
| | | | | | | | In ntlm_auth.c and authdata.c, the session info will be incomplete Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()Andreas Schneider2017-03-221-169/+0
| | | | | | | | | | | There is no way we can get a better error code out of this. The original function called was krb5_get_init_creds_opt_get_error() which has been deprecated in 2008. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* s3:libads: Correctly handle the keytab kerberos methodsAndreas Schneider2017-03-141-12/+57
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* Correct "ommited" typos.Chris Lamb2017-03-131-1/+1
| | | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libads: convert to use smb_gss_krb5_import_credAlexander Bokovoy2017-03-081-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-libads: Do not leak the msg on errorAndreas Schneider2017-03-081-3/+5
| | | | | | | | | | | | ldap_search_ext_s manpage states: Note that res parameter of ldap_search_ext_s should be freed with ldap_msgfree() regardless of return value of these functions. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Mar 8 14:59:35 CET 2017 on sn-devel-144
* s3:libads: remove unused fallback to gss_acquire_cred()Stefan Metzmacher2017-03-061-27/+0
| | | | | | | | | | | Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(), so we don't need an #ifdef here. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Mar 6 11:44:54 CET 2017 on sn-devel-144
* s3:libads: add more debugging to ads_sasl_spnego_bind()Stefan Metzmacher2017-02-241-1/+25
| | | | | | | | | Any fallbacks to other authentication methods should be logged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* Correct "occured" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s3:libads: use trust_pw_new_value() for krb5 machine passwordsStefan Metzmacher2017-02-211-3/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libads: Use "all_zero" where appropriateVolker Lendecke2017-01-031-24/+6
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s3:libads: Include system /etc/krb5.conf if we use MIT KerberosAndreas Schneider2016-12-021-6/+19
| | | | | | | | | | | | | | The system /etc/krb5.conf defines some defaults like: default_ccache_name = KEYRING:persistent:%{uid} We need to respect that so should include it in our own created krb5.conf file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* s3-libads: Fix canonicalization support with MIT KerberosAndreas Schneider2016-12-021-1/+12
| | | | | | | | | | | | This allows to authenticate using user@DOMAIN against an AD DC. https://bugzilla.samba.org/show_bug.cgi?id=12457 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Dec 2 00:23:02 CET 2016 on sn-devel-144
* lib: Fix an uninitialized variableVolker Lendecke2016-10-191-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address.Jeremy Allison2016-10-181-2/+15
| | | | | | | | | | | | | | | | | | | Analysis by: Rebecca Gellman <rebecca@starfleet-net.co.uk> Ignore cldap_socket_init() failure when sending multiple cldap netlogon requests. Allow cldap_netlogon_send() to catch the bad address and correctly return through a tevent subreq. Make sure cldap_search_send() copes with cldap parameter == NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12381 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Tue Oct 18 02:16:20 CEST 2016 on sn-devel-144
* s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME"Stefan Metzmacher2016-10-131-6/+0
| | | | | | | | | | | | | Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
* s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME"Stefan Metzmacher2016-10-121-5/+0
| | | | | | | | | | Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in ↵Günther Deschner2016-09-281-1/+1
| | | | | | | | | source3/libads/ldap_printer.c Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-libads: Do not use deprecated krb5_change_password()Andreas Schneider2016-09-011-6/+8
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Sep 1 00:43:51 CEST 2016 on sn-devel-144
* s3-libads: Do not use deprecated krb5_get_init_creds_opt_init()Andreas Schneider2016-08-311-8/+17
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-libads: Support for MIT Kerberos ntstatus from init_credsAndreas Schneider2016-08-311-6/+11
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-libads: Use non-deprecated function to get the errorAndreas Schneider2016-08-311-25/+34
| | | | | | | krb5_get_init_creds_opt_get_error is deprecated. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-libads: Rename smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt()Andreas Schneider2016-08-311-6/+13
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Move unwrap_edata_ntstatus() and make it staticAndreas Schneider2016-08-311-0/+48
| | | | | | | | This also removes the asn1util dependency from krb5_wrap and moves it to libads which is the only user. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename smb_krb5_open_keytab()Andreas Schneider2016-08-311-8/+8
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename smb_get_enctype_from_kt_entry()Andreas Schneider2016-08-311-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free()Andreas Schneider2016-08-311-2/+2
| | | | | | | Call the Kerberos function directly. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_alloc()Andreas Schneider2016-08-311-1/+1
| | | | | | | Call the Kerberos function directly. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename cli_krb5_get_ticket()Andreas Schneider2016-08-311-9/+9
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename kerberos_free_data_contents()Andreas Schneider2016-08-311-4/+4
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libads: use "kerberos encryption types" parameterUri Simchoni2016-08-091-26/+80
| | | | | | | | | | | When creating the custom krb.conf file, list etypes according to kerberos encryption types Also use proper directives for heimdal (heimdal recognizes the MIT etype directives, but does not act upon them) Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libads: improve debug messages in sitename_fetch()Michael Adam2016-07-121-4/+3
| | | | | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Jul 12 21:23:48 CEST 2016 on sn-devel-144
* libads: ensure the right ccache is used during spnego bindStefan Metzmacher2016-07-121-9/+20
| | | | | | | | | | | | | | | | | When doing spnego sasl bind: 1. Try working without kinit only if a password is not provided 2. When using kinit, ensure the KRB5CCNAME env var is set to a private memory ccache, so that the bind is on behalf of the requested user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
* libads: ensure the right ccache is used during gssapi bindStefan Metzmacher2016-07-111-7/+16
| | | | | | | | | | | | | | When doing gssapi sasl bind: 1. Try working without kinit only if a password is not provided 2. When using kinit, ensure the KRB5CCNAME env var is set to a private memory ccache, so that the bind is on behalf of the requested user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* s3-libads: fix a memory leak in ads_sasl_spnego_bind()Uri Simchoni2016-07-051-1/+4
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006 Signed-off-by: Uri Simchoni <uri@samba.org> Signed-off-by: Richard Sharpe <rsharpe@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
* s3: krb5: keytab - The done label can be jumped to with context == NULL.Jeremy Allison2016-06-091-10/+8
| | | | | | | | | | | | Ensure we don't crash in this case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11959 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Autobuild-User(master): Uri Simchoni <uri@samba.org> Autobuild-Date(master): Thu Jun 9 13:18:56 CEST 2016 on sn-devel-144
View Lorry Controller Status