summaryrefslogtreecommitdiff
path: root/source4/auth
Commit message (Collapse)AuthorAgeFilesLines
* build: make LIBWBCLIENT_OLD and auth_unix_token librariesAndrew Bartlett2011-09-081-5/+6
| | | | | | This assists with avoiding duplicate symbols. Andrew Bartlett
* s4:auth/gensec: gensec.h was moved to gensec_runtimeStefan Metzmacher2011-09-061-1/+1
| | | | metze
* gensec: Install header file.Jelmer Vernooij2011-08-211-0/+1
|
* samba-credentials: Add pkg-config file.Jelmer Vernooij2011-08-212-0/+12
|
* credentials: Rename library to samba-credentials to avoid name clashes.Jelmer Vernooij2011-08-185-14/+14
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
* Use public pytalloc header file.Jelmer Vernooij2011-08-141-1/+1
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
* s4:misc: remove last usage of legacy event_ fn namesSimo Sorce2011-08-141-3/+3
| | | | | Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
* pytalloc: Use consistent prefix for functions, add ABI file.Jelmer Vernooij2011-08-105-56/+56
|
* s4:pycredentials: PyArg_ParseTuple("i") requires an 'int' argument.Stefan Metzmacher2011-08-081-6/+30
| | | | | | If we pass variable references we don't get implicit casting! metze
* build: Make credentials a public library for OpenChange to useAndrew Bartlett2011-08-081-1/+1
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Aug 8 14:53:53 CEST 2011 on sn-devel-104
* build: provide tevent-util as a public libraryAndrew Bartlett2011-08-082-2/+2
| | | | | | | This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
* pyldb: Consistently use pyldb_ prefix.Jelmer Vernooij2011-08-071-3/+3
|
* ntlmssp: Add ntlmssp_blob_matches_magic()Andrew Bartlett2011-08-031-1/+1
| | | | | | | | | This avoids having the same check in 3 different parts of the code Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
* gensec: Don't keep a second copy of the auth4_context in gensec_ntlmssp_stateAndrew Bartlett2011-08-032-7/+4
| | | | | | | | | The auth4_context is already in the gensec_security structure, which is available by de-reference here anyway. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett2011-08-032-0/+2
| | | | | | | | | | This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett2011-08-038-45/+37
| | | | | | | | | | | | | | | gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
* gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett2011-08-034-18/+11
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett2011-08-039-923/+172
| | | | | | | | | The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4-auth Fill in the remainder of the unix info in auth_session_infoAndrew Bartlett2011-07-292-5/+45
| | | | | | | Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
* s4-auth Move conversion of security_token to unix_token to authAndrew Bartlett2011-07-296-7/+125
| | | | | | | | This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* gensec: Add a way to request a unix token from GENSECAndrew Bartlett2011-07-293-5/+14
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4auth: Fix the object name for Py_SecurityAmitay Isaacs2011-07-281-1/+1
| | | | | | | Use the object names as <modulename>.<objectname> to correctly generate the object hierarchy in pydoc. Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4auth: Fix the object names for PyCredentials and PyCredentialCacheContainerAmitay Isaacs2011-07-281-2/+2
| | | | | | | Use the object names as <modulename>.<objectname> to correctly generate the object hierarchy in pydoc. Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4auth: Remove duplicate assignment of structure variableAmitay Isaacs2011-07-281-1/+0
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4:auth/kerberos: activate windows related krb5 flagsStefan Metzmacher2011-07-251-0/+10
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
* auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett2011-07-202-2/+6
| | | | | | | | | This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4:auth/credentials: with the build after heimdal importStefan Metzmacher2011-07-151-0/+1
| | | | metze
* s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2011-06-241-0/+1
| | | | metze
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+48
| | | | | | | If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
* s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher2011-06-223-5/+134
| | | | | | | For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+47
| | | | | | | | | | Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
* s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-94/+99
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-32/+41
| | | | | | In order to make the following changes easier to review. metze
* s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher2011-06-221-24/+76
| | | | | | | | | | | It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
* s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-27/+41
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-0/+2
| | | | metze
* s4/auth: Trivial spelling fixes.Brad Hards2011-06-212-6/+6
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett2011-06-201-2/+2
| | | | | | | | | | | | The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
* libcli/util Bring samba4 unix -> nt_status code in common.Andrew Bartlett2011-06-201-1/+1
| | | | | | | | Due to library link orders, this is already the function that is being used. However we still need to sort out the duplicate symbol issues, probably by renaming things. Andrew Bartlett
* s4: fix wrong index usage PRIMARY_USER_SID_INDEX when it should have been ↵Matthieu Patou2011-06-191-1/+1
| | | | | | | | | | PRIMARY_GROUP_SID_INDEX The system account was instanciated with wrong user an group SIDs, group sid resulted being just the domain SID. Bug seems to date from fbe6d155bf177c610ee549cc534650b0f0700e8a. Andrew (B.) please check.
* s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST'Andrew Tridgell2011-06-172-2/+6
| | | | | | | this prevents spurious error messages on client commands when when we will fallback to NTLM authentication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:auth/ntlm/auth_unix.c - remove unused variablesMatthias Dieter Wallnöfer2011-06-111-2/+0
| | | | | | Relicts from commit 323c7445713d17989452b99bbb541248bb2388eb Reviewed-by: Jelmer
* s4:auth/ntlm/auth.c - fix incompatible pointer type warningMatthias Dieter Wallnöfer2011-06-091-2/+2
| | | | Reviewed-by: Tridge
* s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handlerAndrew Bartlett2011-06-081-0/+59
| | | | | | | | | This allows us to print much more debugging in this critical situation. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
* s4-credentials Don't use expired Kerberos or GSSAPI credentialsAndrew Bartlett2011-06-081-4/+57
| | | | | | | | | In a long-lived credentials cache situation, we may need to refetch the ticket after (say) 10 hours. This code should help that happen, by checking the lifetime before returning any credentials cache or GSSAPI credentials. Andrew Bartlett
* s4-credentials Allow use of file-based credentials caches for debugging.Andrew Bartlett2011-06-081-3/+9
| | | | | | | | This means that we will leave a slew of file based credentials caches in /tmp, which should give some clues to the administrator or developer via klist as to what has gone wrong. Andrew Bartlett
* s4-auth Move default auth methods back into auth.cAndrew Bartlett2011-06-071-4/+6
| | | | | | | | | This changes auth_methods_from_lp to no longer use the parametric options, and to cope with ROLE_DOMAIN_BDC and ROLE_DOMAIN_PDC. This will assist in calling the source4 auth subsystem with a source3 derived lp_ctx. Andrew Bartlett
* s4-modules Remove lp_ctx from init functions that no longer need itAndrew Bartlett2011-06-063-5/+5
| | | | | | | | Now that we don't allow the smb.conf to change the modules dir, many functions that simply load modules or initialise a subsytem that may load modules no longer need an lp_ctx. Andrew Bartlett
* s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain"Matthias Dieter Wallnöfer2011-05-211-1/+1
| | | | Signed-off-by: Metze
* s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROSStefan Metzmacher2011-05-181-0/+1
| | | | | | | | Otherwise we would not impersonate the desired principal. This still doesn't work for plaintext auth, but should avoid ntlmssp. metze
View Lorry Controller Status