1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

831 Commits

Author SHA1 Message Date
Volker Lendecke
744ed53a62 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error:

==27740== Invalid write of size 8
==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740==    by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740==    by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740==    by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740==    by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740==    by 0x585C00: process_smb (process.c:1641)
==27740==    by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740==    by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740==    by 0x58B2D9: smbd_process (process.c:3389)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)
==27740==  Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740==    at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740==    by 0x6926965: __talloc (talloc.c:560)
==27740==    by 0x6926771: talloc_pool (talloc.c:598)
==27740==    by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740==    by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740==    by 0x58B2B7: smbd_process (process.c:3385)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)

In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.

Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb  9 19:44:47 CET 2012 on sn-devel-104
2012-02-09 19:44:47 +01:00
Andrew Bartlett
e4546f50fe auth: rename ntlmssp.c to ntlmssp_util.c 2012-02-08 16:30:25 +11:00
Andrew Bartlett
3ddb983c10 gensec: inline gensec_generate_session_info() into only caller
This avoids casting to and from the struct auth_user_info_dc *user_info_dc

to to this, the

if (user_info_dc->info->authenticated)

is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
a647df4607 auth: Make check_password and generate_session_info hook generic
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info.  This will allow the
calling logic to be put in common.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
697a6e9504 auth: provide private pointer and do not return original PAC signatures
There is no need to return the PAC signatures via the special-purpose
torture element.  Instead, use a private pointer on the auth_context
in conjunction with the private PAC processing method.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
2012-01-29 23:52:50 +01:00
Stefan Metzmacher
8dd63b9343 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context
Both use gss_krb5_lucid_context_v1_t now.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-25 10:22:31 +01:00
Andrew Bartlett
6411faf379 auth/gensec: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-18 19:29:40 +01:00
Stefan Metzmacher
342be2851a s3:build: add auth/gensec/spnego.o
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13 06:32:30 +01:00
Stefan Metzmacher
01f246e873 auth/gensec: move spnego.c to the toplevel
metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
d88af2fe24 auth/gensec: common helper functions should be in gensec_util.c
This makes the dependencies easier to handle.

metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
edaa933b17 auth/gensec: add some more functions from gensec_start.c to gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
bb6e64802e auth/gensec: make sure functions from gensec.c are in gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
891318ee4c s4:auth/gensec/spnego: add support for fragmented spnego messages
metze
2012-01-12 13:15:08 +01:00
Stefan Metzmacher
6eea2c33c7 auth/gensec: add gensec_*max_update_size()
This is only a hint for the backend, which may want to fragment
update tokens.

metze
2012-01-12 13:15:08 +01:00
Andrew Bartlett
b69c40ffce auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksum 2012-01-12 18:02:54 +11:00
Andrew Bartlett
5c92e9a46f gensec: Make sure to check the optional auth_context hooks before using them
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:15:42 +01:00
Andrew Bartlett
98ba33b258 gensec: Rename want_flags and got_flags in gensec_gssapi
This make it clearer what type of flags these are.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:11:22 +01:00
Andrew Bartlett
226c3ef7a6 gensec: make gensec_gssapi.h common
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:10:02 +01:00
Andrew Bartlett
f5a117172e gensec: move gensec_util.c to the top level
To do this some defines need to move to common_auth.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:02:41 +01:00
Andrew Bartlett
14c8a13d3e auth: make auth4_context common to provide access to generate_session_info_pac()
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:59:34 +01:00
Andrew Bartlett
b213514631 auth/kerberos: Remove unused headers from gssapi_parse.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:25:20 +01:00
Andrew Bartlett
356f7989eb auth/credentials Remove debug that prints in normal operation
The fact that this function is unimplemented is unimportant to the callers
as credential caches are not handled via the auth/credentials code in s3.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan  9 03:24:36 CET 2012 on sn-devel-104
2012-01-09 03:24:36 +01:00
Andrew Bartlett
2f0ba1435d auth/kerberos: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:26:06 +11:00
Andrew Bartlett
149f8f16be s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.

This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29 01:10:58 +01:00
Andrew Bartlett
f320fb3df4 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional 2011-12-29 09:36:24 +11:00
Andrew Bartlett
9a085b0b80 auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
1baf916399 credentials: Always honour the return value of E_deshash()
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
4b7b26e3c0 gensec: Allow an alternate set of modules to be specified
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
dbbb626dc0 s4-dns Use match-by-key in GSSAPI server if principal is not specified
This allows dlz_bind9 to match on exactly the same key as bind9 itself

Andrew Bartlett

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec  7 02:20:10 CET 2011 on sn-devel-104
2011-12-07 02:20:10 +01:00
Jelmer Vernooij
05bc4de083 Revert making public of the samba-module library.
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.

Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec  3 08:36:33 CET 2011 on sn-devel-104
2011-12-03 08:36:30 +01:00
Jeremy Allison
3e6e1aed94 Fix a bunch of "warning: variable ‘XXXX’ set but not used [-Wunused-but-set-variable]" warnings from the new gcc.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Nov 21 23:39:08 CET 2011 on sn-devel-104
2011-11-21 23:39:08 +01:00
Andrew Tridgell
ba41389d3d test: fixed several tests to use samba.tests
this fixes error checking. Test failures were not being detected
otherwise

Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-11-10 14:24:21 +11:00
Andrew Bartlett
7f8f7159af lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystem
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
0ce09fcf7a lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1b7cc4ac7c lib/util Rename samba_init_module_fn -> samba_module_init_fn
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
87354c9a6d lib/util Split samba-modules library into public and private parts
This will allow OpenChange to get at the symbols it needs, without
exposing any more of this as a public API than we must.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
b7b798e15b lib/util Rename load_samba_modules -> samba_modules_load
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
ce0ccc2a2e lib/util Rename run_init_functions -> samba_init_module_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1935b7b6c2 lib/util Rename init_module_fn to samba_init_module_fn
This prepares for making the samba_module.h header public again, for OpenChange.

I am keen to avoid too much API namespace pollution if we can.
2011-10-28 13:10:28 +02:00
Andrew Bartlett
7cf00e3231 gensec: Add parinoia about integer wrapping 2011-10-28 13:10:28 +02:00
Simo Sorce
8870daeb8d idl: Improve MS-PAC IDL
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24 19:19:28 +02:00
Stefan Metzmacher
c9ddc50108 auth/gensec: fix missleading comment
We don't talloc_reference for tsocket_addresses.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 24 15:29:47 CEST 2011 on sn-devel-104
2011-10-24 15:29:47 +02:00
Stefan Metzmacher
061dad7727 auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature test
metze
2011-10-22 09:28:26 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
3f9ab2e8e7 ntlmssp: Refuse to seal if we did not negotiate to sign
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
86d684e4d6 gensec: Refuse to seal if we did not negotiate to sign
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
0d5de7e19c gensec: Assert that we have not been subject to a downgrade attack in DCE/RPC clients
Because of the calling convention, this is the best place to assert
that we have not been subject to a downgrade attack on the negotiated
features.  (In DCE/RPC, this isn't a negotiation, the client simply
specifies the level of protection that is required).

Andrew Bartlett

(some formatting fixes)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
c77964724d gensec: an event context is no longer mandetory
If you do not specify one however, you better know that the modules
you are using do not need one!

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
02eef4d130 ntlmssp: Put members from auth_ntlmssp_state into gensec_ntlmssp_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
968b3674b1 ntlmssp: Prepare gensec_ntlmssp_start() for broader use
This moves the allocation of the ntlmssp pointer back to the callers.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
5e6543ad76 build: compile gensec_start.c and credentials.c in the autoconf build
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
734e5c521c credentials: Prioritise command-line specified options above defaults from smb.conf
If a user specified -W or --realm on the command line, then this is
of level SPECIFIED, not UNINITIALISED, despite it going via the
loadparm system.

This helps us to ensure that -W server -Ulocaluser is parsed the
same as -Userver\localuser.  This matters as otherwise we might
instead attempt to use kerberos to the realm from the smb.conf.

Andrew Bartlett
2011-10-18 13:13:30 +11:00
Andrew Bartlett
454986298a gensec: trim header includes back to what is actually required
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 11 06:13:08 CEST 2011 on sn-devel-104
2011-10-11 06:13:08 +02:00
Andrew Bartlett
534355fecf auth/credentials Declare remaining functions are public interfaces and put into credentials.h
This is in preperation for this file being used by s3, and recognises that these are all
reasonable, public interfaces but were not declared as such in the past.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
fe02752ed6 auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
561d834123 auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level.  This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Ewoud Kohl van Wijngaarden
2d6571d2e5 Add missing com_err dependencies
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Oct  6 02:10:21 CEST 2011 on sn-devel-104
2011-10-06 02:10:21 +02:00
Andrew Bartlett
af5f494bd2 build: provide tevent-util as a public library
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.

Andrew Bartlett
2011-08-08 13:34:06 +02:00
Andrew Bartlett
35b309fa0c gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.

Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.

Andrew Bartlett
2011-08-03 18:48:02 +10:00
Andrew Bartlett
d3fe48ba48 gensec: Remove mem_ctx from calls that do not return memory
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
16b2118b43 gensec: split GENSEC into mechanism-dependent and runtime functions
The startup and runtime functions that have no dependencies are moved
into the top level.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
9d09b66f41 auth: Set NETLOGON_GUEST and use it to determine guest status
These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
7f64ea456b auth: Move make_user_info_SamBaseInfo() to talloc_strdup and out of memory checking
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
52b28ec813 auth: Split out make_user_info_SamBaseInfo and add authenticated argument
This will allow the source3 auth code to call this without needing to
double-parse the SIDs

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
a39187f0f5 auth: include auth.idl structures into common_auth.h
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
fa18267042 auth: Preserve guest flag on transition via netr_SamInfo3
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
55ad1da888 Add my copyright
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:09 +10:00
Stefan Metzmacher
9ba10877aa auth/kerberos/gssapi_pac: fix compiler warnings
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
2011-06-15 19:06:24 +02:00
Günther Deschner
9211f232aa auth/auth_sam_reply.h: fix licence/copyright
Guenther
2011-06-10 15:11:16 +02:00
Andrew Bartlett
a2ff3e7c61 build: Make auth_sam_reply a library 2011-05-18 16:12:08 +02:00
Andrew Bartlett
6990536000 auth: allow auth_common.h to be included multiple times without error 2011-05-08 10:56:27 +02:00
Gordon Ross
ac25835ab7 Fix Samba3 on OpenIndiana.
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.

(OpenIndiana is an off-shoot of OpenSolaris  See http://www.openindiana.org)

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May  7 02:20:14 CEST 2011 on sn-devel-104
2011-05-07 02:20:14 +02:00
Andrew Bartlett
47e2870228 auth/kerberos Add check for gss_inquire_sec_context_by_oid
Not all kerberos distributions have this function.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
2011-04-27 07:39:08 +02:00
Andrew Bartlett
f0ce322c77 auth/kerberos Move all the PAC handling functions to auth/kerberos 2011-04-27 11:56:48 +10:00
Andrew Bartlett
6ec4306f8c auth/kerberos: Create common helper to get the verified PAC from GSSAPI
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
2011-04-27 11:56:48 +10:00
Günther Deschner
7a558ea27c s3-waf: fix the build after auth changes.
Andrews, please check.

Guenther
2011-02-10 12:58:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Günther Deschner
95f9542e05 s3-auth: remove global include of krb5pac.h.
Guenther
2010-08-31 23:17:40 +02:00
Andrew Bartlett
23994e1b53 s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.

In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-14 11:58:13 +10:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00