1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

78 Commits

Author SHA1 Message Date
Andreas Schneider
788f72f8eb gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
fc59cc3102 auth/gensec: use auth_ctx->generate_session_info() for schannel
This way we generate a correct session info for the s3 rpc_server,
including a unix token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Andrew Bartlett
c3baddf271 auth: Pass though error from GENSEC sub-mechanism
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).

Andrew Bartlett

Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:45 +02:00
Stefan Metzmacher
01c029993c auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILURE
This is what NTLMSSP also gives.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
2014-03-27 02:34:36 +01:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Stefan Metzmacher
b2b239a854 auth/gensec: make use of gensec_update_ev() in spnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
79f5275db2 auth/gensec: add a gensec_update_ev() function
This is the current gensec_update() which takes an optional
tevent_context structure and allows semi-async code.

This is just a temporary solution on the way to kill
the semi-async code completely, by using gensec_update_send/recv.

By providing a gensec_update_ev(), we can remove the explicit
tevent_context from gensec_update() and fix all the sane callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
2ac1ca40f3 auth/gensec: fix gensec_update() with ev == NULL.
In future we should remove the tevent_context argument from
gensec_update() completely!

If we have sane backends we should also remove the
tevent_loop_allow_nesting() call again!
t
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
31a92744bf auth/gensec: only include "librpc/gen_ndr/dcerpc.h"
We only need some DCERPC_ defines.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:13 +01:00
Stefan Metzmacher
03006d0e44 auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
616cd00995 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Günther Deschner
4f979525e4 gensec: check for NULL gensec_security in gensec_security_by_auth_type().
We have equivalent checks in other gensec_security_by_X calls already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:06 +02:00
Günther Deschner
d433ad077f gensec: remove duplicate gensec_security_by_authtype() call.
We should use the equivalent gensec_security_by_auth_type() call which is
exposed in the public header.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:56 +02:00
Günther Deschner
4d2ec9e37e gensec: move schannel module to toplevel.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:44 +02:00
Howard Chu
6bf59b03d7 Add SASL/EXTERNAL gensec module
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18 19:47:55 +02:00
Andrew Bartlett
3f464ca1f5 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16 14:44:28 -07:00
Volker Lendecke
980c757388 gensec: Fix CID 1063258 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19 11:16:26 +12:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
c81b6f7448 auth/gensec: use 'const char * const *' for function parameters
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
e81550c811 auth/gensec: make it possible to implement async backends
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
6a7a44db59 auth/gensec: avoid talloc_reference in gensec_security_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
3e3534f882 auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
59b09564a7 auth/gensec: add gensec_security_by_auth_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Stefan Metzmacher
45c74c8084 auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning NOT_IMPLEMENTED
Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:55 +02:00
Volker Lendecke
26b6e28082 gensec: Make gensec_security_oids_from_ops static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
2013-05-15 20:05:34 +02:00
Volker Lendecke
85220eaa9c gensec: Make gensec_security_by_sasl_list static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Volker Lendecke
eb6ebe689f gensec: Make gensec_interface_version public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Andrew Bartlett
df004b5014 gensec: Allow login without a PAC by default (bug #9581)
The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-24 14:18:22 +01:00
Volker Lendecke
8a6a13ab51 auth: Fix some nonempty blank lines
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Andrew Bartlett
ab80b99815 auth/gensec: Remove unused gensec_security parameter 2012-07-03 08:13:01 +10:00
Stefan Metzmacher
9ac855c8b8 auth/gensec: implement gensec_spnego_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
dce6fdf195 auth/gensec: add gensec_expire_time()
metze
2012-05-17 20:04:32 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
93aa4511b9 gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Stefan Metzmacher
7c715207ad auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse code anymore
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-03-15 09:16:16 +01:00
Andrew Bartlett
c35a7e8c47 auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17 12:18:51 +01:00
Andrew Bartlett
55c630404a auth: Provide a way to specify the NTLMSSP server name to GENSEC
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller
knows better.  This will allow preservation of current s3 behaviour.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
d2ccaaad20 gensec: explain gensec_use_kerberos_mechs() logic
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10 12:36:23 +01:00
Andrew Bartlett
93f3fc54e4 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62.  This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Andrew Bartlett
901e3b7246 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"
This reverts commit 744ed53a62.

The real bug here is that the second half of the outer loop should not
have been run once we found spnego.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Volker Lendecke
744ed53a62 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error:

==27740== Invalid write of size 8
==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740==    by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740==    by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740==    by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740==    by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740==    by 0x585C00: process_smb (process.c:1641)
==27740==    by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740==    by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740==    by 0x58B2D9: smbd_process (process.c:3389)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)
==27740==  Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740==    at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740==    by 0x6926965: __talloc (talloc.c:560)
==27740==    by 0x6926771: talloc_pool (talloc.c:598)
==27740==    by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740==    by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740==    by 0x58B2B7: smbd_process (process.c:3385)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)

In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.

Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb  9 19:44:47 CET 2012 on sn-devel-104
2012-02-09 19:44:47 +01:00
Andrew Bartlett
3ddb983c10 gensec: inline gensec_generate_session_info() into only caller
This avoids casting to and from the struct auth_user_info_dc *user_info_dc

to to this, the

if (user_info_dc->info->authenticated)

is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Stefan Metzmacher
8dd63b9343 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context
Both use gss_krb5_lucid_context_v1_t now.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-25 10:22:31 +01:00
Andrew Bartlett
6411faf379 auth/gensec: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-18 19:29:40 +01:00
Stefan Metzmacher
342be2851a s3:build: add auth/gensec/spnego.o
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13 06:32:30 +01:00
Stefan Metzmacher
01f246e873 auth/gensec: move spnego.c to the toplevel
metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
d88af2fe24 auth/gensec: common helper functions should be in gensec_util.c
This makes the dependencies easier to handle.

metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
edaa933b17 auth/gensec: add some more functions from gensec_start.c to gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
bb6e64802e auth/gensec: make sure functions from gensec.c are in gensec.h
metze
2012-01-13 04:58:40 +01:00