1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

574 Commits

Author SHA1 Message Date
Stefan Metzmacher
4a1809cb14 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
a61ab398cc auth/ntlmssp: add ntlmssp_version_blob()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
4fca8eaaae auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.

This matches modern Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
efd4986794 auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
This matches a modern Windows client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
afba38dbf5 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
30d626024c auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
e63442a1c2 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
b133f66e0d auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
0a93cad337 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
b3d4523ff7 auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.

It can properly get the initial NEGOTIATE messages
injected if available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
a85a02b631 auth/ntlmssp: add gensec_ntlmssp_server_domain()
This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
0a9e37a0db auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
8efcb49435 auth/gensec: make gensec_security_by_name() public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
64364e365c auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
5e913af833 auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Andrew Bartlett
fc747539dc pycredentials: Use pytalloc_BaseObject_PyType_Ready()
This changes pycredentials to use talloc.BaseObject() just like the PIDL output

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Andrew Bartlett
7506321996 pycredentials: Remove PyCredentialCacheContainerObject
We can call pytalloc_reference() and avoid having this in the header file

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Andrew Bartlett
fe4b990cba pycredentials: Do not use pytalloc_Object directly
This type should not be used directly, it should have been made private
to pytalloc

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Volker Lendecke
58de339247 credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-16 10:50:10 +01:00
Volker Lendecke
2c73ed8c69 credentials: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-16 10:50:10 +01:00
Günther Deschner
30386c23ae ntlmssp: when pulling messages it is important to clear memory first.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:16 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Jelmer Vernooij
c46a8cf258 Make gensec private, for now.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
ad630a681e asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Douglas Bagnall
8b26559aeb pycredentials: add get_kerberos_state() method
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-15 00:08:57 +01:00
Andreas Schneider
ab0cbf9bba auth: Fix picky const warnings in gssapi_pac
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-11-23 15:17:18 +01:00
Jeremy Allison
d4059e1a53 auth: gensec: Parameters out_mem_ctx and ev are passed in the wrong order to gensec_spnego_server_try_fallback().
Fix suggested by <lev@zadarastorage.com>. Fixes a memory leak.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11565

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 22 11:27:19 CEST 2015 on sn-devel-104
2015-10-22 11:27:19 +02:00
Richard Sharpe
dba9e631bd Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 25 21:45:18 CEST 2015 on sn-devel-104
2015-08-25 21:45:18 +02:00
Volker Lendecke
2fbce8ad0a gensec: Fix CID 242642 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-08-20 12:49:21 +02:00
Andreas Schneider
c9a8fff525 s4-auth: Always pass down the salt principal
We should always pass down the saltPrincipal to smb_krb5_update_keytab()
function.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Alexander Bokovoy
a0d2dd0e01 auth/credentials: if credentials have principal set, they are not anonymous anymore
When dealing with Kerberos, we cannot consider credentials anonymous
if credentials were obtained properly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104
2015-07-15 16:32:54 +02:00
Stefan Metzmacher
f3f1c38925 auth/credentials: anonymous should not try to use kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Andreas Schneider
0438027a47 auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is needed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
2015-06-24 13:37:02 +02:00
Stefan Metzmacher
8a4c0abb3e auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
2cd3e51e19 auth/gensec: remove unused gensec_[un]wrap_packets() hooks
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
756508c8c3 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
3542d33314 auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
57579453d1 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
Newer MIT versions also have this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-06-23 14:38:53 +02:00
Jeremy Allison
5deb8169fe dcerpc: NULL pointer deref crash in handling rpc request.
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().

Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.

An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-18 19:25:27 +02:00
Andreas Schneider
ffacfc1148 auth: Make sure error_string is not used uninitialized
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 19 13:42:32 CEST 2015 on sn-devel-104
2015-05-19 13:42:32 +02:00
Stefan Metzmacher
bf77d78fd8 auth/kerberos: remove allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
21ed0efac0 auth/kerberos: avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Andrew Bartlett
5f01bb1b06 build: Add talloc and samba-debug dep for gensec_external module
On a host without a talloc.h, this caused the build to fail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 19 18:01:09 CET 2015 on sn-devel-104
2015-03-19 18:01:09 +01:00
Jeremy Allison
5137af570d s4: lib: auth: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields.
Packet traces showing such servers are found in the bug this fixes:

https://bugzilla.samba.org/show_bug.cgi?id=10016

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-19 09:30:07 +01:00
Stefan Metzmacher
33fcfb37c4 auth/credentials: add cli_credentials_set_old_utf16_password()
This is required to set the previous trust account password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
016c4ce84f auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()
The machine and trust accounts it's important to retry
netr_Authenticate3() with the previous (old) nt_hash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
3abccced8c auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Andrew Bartlett
e48d136e3a auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
This ensures that if an enterprise principal is used, we do the
comparison properly

This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.

Otherwise, we get errors like:
 Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Volker Lendecke
38628b1e32 Fix the O3 developer build
Different gcc versions complain at different places

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  3 13:14:53 CET 2015 on sn-devel-104
2015-03-03 13:14:53 +01:00
Günther Deschner
4ea40ed0c1 auth/credentials_krb5: fix memory leak in cli_credentials_failed_kerberos_login().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104
2015-01-26 19:56:57 +01:00
Stefan Metzmacher
826b0f761e auth/credentials: add cli_credentials_set_utf16_password()
We need a way to initialize the cli_credentials from the raw utf16 blob,
which might not be completely valid utf16, which means the conversion
from CH_UTF16MUNGED to CH_UTF8 might loose information.

This would result in an invalid nt_hash, when we convert back
from CH_UTF8 to CH_UTF16LE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
153938a1f2 auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
6ec32d7e12 auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required
Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Jelmer Vernooij
8d933a84c9 credentials test: Use samba.tests.subunitrun.
Change-Id: I8970c66de9535cb8d48b17d88b2759b7d1e39cb8
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
f0fa5636e3 Remove unused imports.
Change-Id: I8915f62206edb53ffc2d89434e46d9e71db8bb9a
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 02:46:03 +01:00
Stefan Metzmacher
e36de873e9 auth: add missing includes to auth/wbc_auth_util.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Andrew Bartlett
e9dc6423d3 auth/credentials: Ensure that we set the realm when reading secrets.tdb
Otherwise, we try and kinit as host$@DOMAIN and that will not work.

Andrew Bartlett

Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
35b8ed7710 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()

Andrew Bartlett

Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
89daf5dc53 credentials: Improve error message on failure to set machine account password
Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
adb3eb79ea credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account
This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.

Andrew Bartlett

Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:06 +02:00
Andrew Bartlett
4281c11e3a credentials: Allow the secrets.tdb password to be newer than the secrets.ldb password
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:37 +02:00
Jeremy Allison
4dba8fd599 auth: gensec: asn1 fixes - check all returns.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
2014-09-26 00:51:16 +02:00
Günther Deschner
abc2d812f5 auth/credentials_krb5: silence a build warning.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:35 +02:00
Günther Deschner
fb2a8b34c1 auth/credentials-krb5: use get_kerberos_allowed_etypes().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Günther Deschner
360ca8e017 auth: avoid overwriting the auth_sam_reply.h header all the time.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon May 12 17:49:46 CEST 2014 on sn-devel-104
2014-05-12 17:49:46 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Andreas Schneider
788f72f8eb gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
fc59cc3102 auth/gensec: use auth_ctx->generate_session_info() for schannel
This way we generate a correct session info for the s3 rpc_server,
including a unix token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Andrew Bartlett
b7b5a1f5bd auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top level
This allows auth_winbind in source4 to use this more correct conversion routine.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-18 20:08:09 +02:00
Andrew Bartlett
c3baddf271 auth: Pass though error from GENSEC sub-mechanism
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).

Andrew Bartlett

Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:45 +02:00
Stefan Metzmacher
35e9915589 auth/kerberos: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:46 +02:00
Stefan Metzmacher
2aebf16ac1 auth/tests: add missing #include "torture/local/proto.h"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:44 +02:00
Stefan Metzmacher
01c029993c auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILURE
This is what NTLMSSP also gives.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
2014-03-27 02:34:36 +01:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Stefan Metzmacher
b2b239a854 auth/gensec: make use of gensec_update_ev() in spnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
79f5275db2 auth/gensec: add a gensec_update_ev() function
This is the current gensec_update() which takes an optional
tevent_context structure and allows semi-async code.

This is just a temporary solution on the way to kill
the semi-async code completely, by using gensec_update_send/recv.

By providing a gensec_update_ev(), we can remove the explicit
tevent_context from gensec_update() and fix all the sane callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
2ac1ca40f3 auth/gensec: fix gensec_update() with ev == NULL.
In future we should remove the tevent_context argument from
gensec_update() completely!

If we have sane backends we should also remove the
tevent_loop_allow_nesting() call again!
t
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Günther Deschner
baed403983 auth/kerberos: fix a typo.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Garming Sam
952bc3cad0 Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Stefan Metzmacher
31a92744bf auth/gensec: only include "librpc/gen_ndr/dcerpc.h"
We only need some DCERPC_ defines.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:13 +01:00
Michael Adam
7e766a0a8a dbwrap: add dbwrap_flags argument to dbwrap_local_open()
To be consistent with db_open() and prepare for future
possible extensions.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Stefan Metzmacher
03006d0e44 auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
616cd00995 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
64fc015a85 auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is always supported
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
556f66bd56 auth:credentials: avoid talloc_reference in cli_credentials_set_netlogon_creds()
Typically cli_credentials_set_netlogon_creds() should be used directly
before the DCERPC bind. And cli_credentials_get_netlogon_creds()
should be only used by the gensec layer, which only needs a copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 16 23:56:01 CEST 2013 on sn-devel-104
2013-10-16 23:56:01 +02:00
Michael Adam
f33c1c89ee auth: fix space/tab mixup in cli_credentials_get_password()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-09-20 21:07:22 -07:00
Günther Deschner
4f979525e4 gensec: check for NULL gensec_security in gensec_security_by_auth_type().
We have equivalent checks in other gensec_security_by_X calls already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:06 +02:00
Günther Deschner
d433ad077f gensec: remove duplicate gensec_security_by_authtype() call.
We should use the equivalent gensec_security_by_auth_type() call which is
exposed in the public header.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:56 +02:00
Günther Deschner
4d2ec9e37e gensec: move schannel module to toplevel.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:44 +02:00
Howard Chu
6bf59b03d7 Add SASL/EXTERNAL gensec module
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18 19:47:55 +02:00
Howard Chu
b3bb304036 Prepare for SASL/EXTERNAL support
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18 19:47:55 +02:00
Andrew Bartlett
3f464ca1f5 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16 14:44:28 -07:00
Volker Lendecke
980c757388 gensec: Fix CID 1063258 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19 11:16:26 +12:00
Stefan Metzmacher
b055b3118d auth/credentials: make sure cli_credentials_get_nt_hash() always returns a talloc object
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-12 16:48:43 +12:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
c81b6f7448 auth/gensec: use 'const char * const *' for function parameters
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
e81550c811 auth/gensec: make it possible to implement async backends
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
6a7a44db59 auth/gensec: avoid talloc_reference in gensec_security_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
3e3534f882 auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
59b09564a7 auth/gensec: add gensec_security_by_auth_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Stefan Metzmacher
45c74c8084 auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning NOT_IMPLEMENTED
Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:55 +02:00
Stefan Metzmacher
b699d404bb auth/credentials: use CRED_CALLBACK_RESULT after a callback
We only do this if it's still CRED_CALLBACK after the callback,
this allowes the callback to overwrite it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug  5 09:36:05 CEST 2013 on sn-devel-104
2013-08-05 09:36:05 +02:00
Stefan Metzmacher
8ea36a8e58 auth/credentials: simplify password_tries state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:06 +12:00
Stefan Metzmacher
26a7420c1c auth/credentials: get the old password from secrets.tdb
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:05 +12:00
Stefan Metzmacher
9325bd9cb6 auth/credentials: keep cli_credentials private
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:05 +12:00
Stefan Metzmacher
b3cd44d50c auth/credentials: add cli_credentials_shallow_copy()
This is useful for testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:01 +12:00
Stefan Metzmacher
6ff6778bdc auth/credentials: add cli_credentials_[set_]callback_data*
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:01 +12:00
Stefan Metzmacher
b8f0922645 auth/credentials: remove pointless talloc_reference() from cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:00 +12:00
Stefan Metzmacher
9535029258 auth/credentials: remove pointless talloc_reference() from cli_credentials_get_unparsed_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:47:57 +12:00
Andrew Bartlett
fc13489c91 build: Build with system md5.h on OpenIndiana
This changes (again...) our system md5 detection to cope with how
OpenIndiana does md5.  I'm becoming increasingly convinced this isn't
worth our while (we should have just done samba_md5...), but for now
this change seems to work on FreeBSD, OpenIndiana and Linux with
libbsd.

This needs us to rename struct MD5Context -> MD5_CTX, but we provide a
config.h define to rename the type bad if MD5_CTX does not exist (it does
however exist in the md5.h from libbsd).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-19 21:32:36 +02:00
Andrew Bartlett
dc6b03ffa5 build: Remove unused credentials_samba3.c
This file was only used by the autoconf build system.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:12 +10:00
Volker Lendecke
26b6e28082 gensec: Make gensec_security_oids_from_ops static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
2013-05-15 20:05:34 +02:00
Volker Lendecke
85220eaa9c gensec: Make gensec_security_by_sasl_list static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Volker Lendecke
eb6ebe689f gensec: Make gensec_interface_version public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Rusty Russell
b45e3f557a secrets: use lpcfg_private_db_path() convenience helper.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-04-12 14:59:27 -07:00
Andrew Bartlett
1dcd75df49 auth/ntlmssp: Avoid use-after-free of user_info after logon failure at log level 5
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-03-27 09:28:50 -07:00
Stefan Metzmacher
bf0dcc918d auth/pycredentials: make use of samba_tevent_context_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-28 12:07:53 +01:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andrew Bartlett
df004b5014 gensec: Allow login without a PAC by default (bug #9581)
The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-24 14:18:22 +01:00
Andrew Tridgell
994696c5c4 auth: added cli_credentials_failed_kerberos_login()
this is used to support retrying kerberos connections after removing a
ccache entry, to cope with a server being re-built while our client
still has a valid service ticket

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01 15:40:40 +11:00
Andrew Bartlett
d59688a8e7 auth/kerberos: add HAVE_KRB5 guard to fix non-krb5 build after winbindd pac changes
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
2012-09-22 02:44:07 +02:00
Christof Schmitt
05befd2f73 auth/kerberos: Adjust log level for failed PAC signature verification
With winbindd trying to verify the signature of an application provided
PAC, this message can be easily triggered. Adjust the debug level to
avoid filling up the logs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Volker Lendecke
8a6a13ab51 auth: Fix some nonempty blank lines
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Andrew Bartlett
a5d57a04c2 auth/credentials: Do not print passwords in a talloc memory dump
The fact that a password was created here is enough information, so
overwrite with the function name and line.

Andrew Bartlett
2012-08-31 14:30:38 +10:00
Andrew Bartlett
5131359eda auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-30 01:26:12 +02:00
Andrew Bartlett
17337cfec0 auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt() 2012-08-29 11:34:52 +10:00
Andrew Bartlett
beafdd6410 auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb records
By checking first if there is a secrets.tdb record and passing in the password and last change time
we avoid setting one series of values and then replacing them.  We also avoid the need to work
around the setting of anonymous.

Andrew Bartlett
2012-08-29 11:34:52 +10:00
Andrew Bartlett
a0e4bdcb5b auth/credentials: Improve memory handling in cli_credentials_set_machine_account
By using a tempoary talloc context this is much tidier and more reliable code.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
2012-08-29 03:11:09 +02:00
Andrew Bartlett
bcc29f9e73 auth/credentials: Avoid double-free in the failure case
This pointer is only valid if dbwrap_fetch returned success.

Andrew Bartlett
2012-08-29 09:09:10 +10:00
Andrew Bartlett
f873d422b1 auth/credentials: Rework credentials handling to try and find the most recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
e66fa2c813 auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Stefan Metzmacher
e8f486883f auth/ntlmssp: avoid talloc_tos() in ntlmssp_client_initial()
This avoids a smb_panic at log level = 10.
If we don't have a talloc stackframe yet.

metze
2012-08-04 09:10:20 +02:00
Andrew Bartlett
0f21fe7666 auth/kerberos: Do not do pointer arithmatic on a void *
Found with -Werror=pointer-arith

Andrew Bartlett
2012-07-30 14:25:09 +10:00
Andrew Bartlett
cbc30833d6 auth/credentials: Remove extra newline 2012-07-19 04:04:20 +02:00
Andrew Bartlett
dff29e4aee auth/credentials: Look in the secrets.tdb for the machine account
This is for use with the -P/--machine-pass option.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
2012-07-15 05:41:27 +02:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
ab80b99815 auth/gensec: Remove unused gensec_security parameter 2012-07-03 08:13:01 +10:00
Alexander Bokovoy
238d24af4e auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.

The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087

We need to initialize variables before using gss_get_name_attribute()

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun  6 18:22:51 CEST 2012 on sn-devel-104
2012-06-06 18:22:51 +02:00
Alexander Bokovoy
dc3f74a953 auth/credentials: 'workgroup' set via command line will not drop existing ccache
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.
2012-05-24 16:21:26 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
ec989e7c40 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
2012-05-23 17:51:50 +03:00
Simo Sorce
302abe6190 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build 2012-05-23 17:51:49 +03:00
Stefan Metzmacher
9ac855c8b8 auth/gensec: implement gensec_spnego_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
dce6fdf195 auth/gensec: add gensec_expire_time()
metze
2012-05-17 20:04:32 +02:00
Andreas Schneider
5832c61c5f s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-04 16:51:29 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
3fd6deda7d auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5.  Move them there and make them static.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
d857e393ac auth-krb: Use simpler method to extract keytype.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
a46e465ce0 s4-auth-krb: Remove unneded dependency on kerberos_util.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
b226955587 s4-auth-krb: Move keytab functions in a separate file.
Confine ldb dependency.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
670dbde65e s4-auth-krb: Move function into more appropriate header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
70f1cd6724 s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
b574e7cd81 s4-auth-krb: Make impersonate_principal_from_credentials static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
93aa4511b9 gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Stefan Metzmacher
7c715207ad auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse code anymore
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-03-15 09:16:16 +01:00
Andrew Bartlett
b6ba8bdac3 auth/ntlmssp: Remove reference to struct ntlmssp_state 2012-03-09 14:31:25 +11:00
Andrew Bartlett
239c7a355c auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_state
This just means there is one less pointer to ensure we initialise.

Andrew Bartlett
2012-03-09 14:31:24 +11:00
Andrew Bartlett
9a11f2ea09 auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key type
The key type OID is optional, but we require that information to determine if
we should use NEW_SPNEGO.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Mar  8 11:53:57 CET 2012 on sn-devel-104
2012-03-08 11:53:57 +01:00
Andrew Bartlett
5b372d7015 auth/kerberos: Ensure we do not print invalid memory in failure case
This codeblock may not have any set->elements, so we should not print them.  Copy&paste in the original code.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
111d9f3eb2 auth: Remove plugable password-check functions from gensec_ntlmssp
The auth4_context layer now provides the plugability here.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
83810f8afa auth: consolidate gensec_ntlmssp_server wrapper functions 2012-02-24 11:23:18 +11:00
Andrew Bartlett
9de7fb8706 s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side
This uses the common gensec_ntlmssp server code for ntlm_auth, removing
the last non-gensec use of the NTLMSSP server.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e3cebef0cf auth: Rename some elements of auth4_context
These operate on NTLM authentication, so make that clear.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e786e8fef9 auth: Reorder arguments to generate_session_info
This matches check_ntlm_password() and generate_session_info_pac()

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-18 02:19:35 +01:00
Andrew Bartlett
c35a7e8c47 auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17 12:18:51 +01:00
Andrew Bartlett
f433baa3c8 auth: Make more of the ntlmssp code private or static
Now that there is only one gensec_ntlmssp server, some of these functions can be static

For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:10 +01:00
Andrew Bartlett
55c630404a auth: Provide a way to specify the NTLMSSP server name to GENSEC
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller
knows better.  This will allow preservation of current s3 behaviour.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
8b8d1c3a63 auth: Rearrange ntlmssp code for clarity
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
725d551832 auth: Set NTLMSSP_NEGOTIATE_SIGN when session key support is required
This matches the s3 NTLMSSP server.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
9b147ce26d s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
9c5b26f864 s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this
code is looking for.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
2f74f2f180 s3-auth: Add extra error messages on authentication or authorization failure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
b0aa49e9a3 auth: Cope with NO_USER_SESSION_KEY from security=server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
52ac479764 auth: Move the rest of the source4 gensec_ntlmssp code to the top level
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess.  We will also get the client code in common very soon.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
8adde1b46b s3-auth Hook checking passwords and generating session_info via the auth4_context
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
674278d5b0 auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
2012-02-17 17:36:38 +11:00
Andrew Bartlett
caf485a2bd auth: Pass in the SMB username (for %U) into generate_session_info
This matches what Samba3 does.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
2012-02-13 01:25:59 +01:00
Andrew Bartlett
d2ccaaad20 gensec: explain gensec_use_kerberos_mechs() logic
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10 12:36:23 +01:00
Andrew Bartlett
93f3fc54e4 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62.  This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Andrew Bartlett
901e3b7246 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"
This reverts commit 744ed53a62.

The real bug here is that the second half of the outer loop should not
have been run once we found spnego.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Andrew Bartlett
292b86394f credentials: Show returned error_string in debug message 2012-02-10 15:20:33 +11:00
Volker Lendecke
744ed53a62 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error:

==27740== Invalid write of size 8
==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740==    by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740==    by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740==    by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740==    by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740==    by 0x585C00: process_smb (process.c:1641)
==27740==    by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740==    by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740==    by 0x58B2D9: smbd_process (process.c:3389)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)
==27740==  Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740==    at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740==    by 0x6926965: __talloc (talloc.c:560)
==27740==    by 0x6926771: talloc_pool (talloc.c:598)
==27740==    by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740==    by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740==    by 0x58B2B7: smbd_process (process.c:3385)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)

In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.

Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb  9 19:44:47 CET 2012 on sn-devel-104
2012-02-09 19:44:47 +01:00
Andrew Bartlett
e4546f50fe auth: rename ntlmssp.c to ntlmssp_util.c 2012-02-08 16:30:25 +11:00
Andrew Bartlett
3ddb983c10 gensec: inline gensec_generate_session_info() into only caller
This avoids casting to and from the struct auth_user_info_dc *user_info_dc

to to this, the

if (user_info_dc->info->authenticated)

is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
a647df4607 auth: Make check_password and generate_session_info hook generic
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info.  This will allow the
calling logic to be put in common.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
697a6e9504 auth: provide private pointer and do not return original PAC signatures
There is no need to return the PAC signatures via the special-purpose
torture element.  Instead, use a private pointer on the auth_context
in conjunction with the private PAC processing method.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
2012-01-29 23:52:50 +01:00
Stefan Metzmacher
8dd63b9343 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context
Both use gss_krb5_lucid_context_v1_t now.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-25 10:22:31 +01:00
Andrew Bartlett
6411faf379 auth/gensec: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-18 19:29:40 +01:00
Stefan Metzmacher
342be2851a s3:build: add auth/gensec/spnego.o
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13 06:32:30 +01:00
Stefan Metzmacher
01f246e873 auth/gensec: move spnego.c to the toplevel
metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
d88af2fe24 auth/gensec: common helper functions should be in gensec_util.c
This makes the dependencies easier to handle.

metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
edaa933b17 auth/gensec: add some more functions from gensec_start.c to gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
bb6e64802e auth/gensec: make sure functions from gensec.c are in gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
891318ee4c s4:auth/gensec/spnego: add support for fragmented spnego messages
metze
2012-01-12 13:15:08 +01:00
Stefan Metzmacher
6eea2c33c7 auth/gensec: add gensec_*max_update_size()
This is only a hint for the backend, which may want to fragment
update tokens.

metze
2012-01-12 13:15:08 +01:00
Andrew Bartlett
b69c40ffce auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksum 2012-01-12 18:02:54 +11:00
Andrew Bartlett
5c92e9a46f gensec: Make sure to check the optional auth_context hooks before using them
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:15:42 +01:00
Andrew Bartlett
98ba33b258 gensec: Rename want_flags and got_flags in gensec_gssapi
This make it clearer what type of flags these are.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:11:22 +01:00
Andrew Bartlett
226c3ef7a6 gensec: make gensec_gssapi.h common
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:10:02 +01:00
Andrew Bartlett
f5a117172e gensec: move gensec_util.c to the top level
To do this some defines need to move to common_auth.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:02:41 +01:00
Andrew Bartlett
14c8a13d3e auth: make auth4_context common to provide access to generate_session_info_pac()
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:59:34 +01:00
Andrew Bartlett
b213514631 auth/kerberos: Remove unused headers from gssapi_parse.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:25:20 +01:00
Andrew Bartlett
356f7989eb auth/credentials Remove debug that prints in normal operation
The fact that this function is unimplemented is unimportant to the callers
as credential caches are not handled via the auth/credentials code in s3.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan  9 03:24:36 CET 2012 on sn-devel-104
2012-01-09 03:24:36 +01:00
Andrew Bartlett
2f0ba1435d auth/kerberos: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:26:06 +11:00
Andrew Bartlett
149f8f16be s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.

This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29 01:10:58 +01:00
Andrew Bartlett
f320fb3df4 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional 2011-12-29 09:36:24 +11:00
Andrew Bartlett
9a085b0b80 auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
1baf916399 credentials: Always honour the return value of E_deshash()
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
4b7b26e3c0 gensec: Allow an alternate set of modules to be specified
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
dbbb626dc0 s4-dns Use match-by-key in GSSAPI server if principal is not specified
This allows dlz_bind9 to match on exactly the same key as bind9 itself

Andrew Bartlett

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec  7 02:20:10 CET 2011 on sn-devel-104
2011-12-07 02:20:10 +01:00
Jelmer Vernooij
05bc4de083 Revert making public of the samba-module library.
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.

Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec  3 08:36:33 CET 2011 on sn-devel-104
2011-12-03 08:36:30 +01:00
Jeremy Allison
3e6e1aed94 Fix a bunch of "warning: variable ‘XXXX’ set but not used [-Wunused-but-set-variable]" warnings from the new gcc.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Nov 21 23:39:08 CET 2011 on sn-devel-104
2011-11-21 23:39:08 +01:00
Andrew Tridgell
ba41389d3d test: fixed several tests to use samba.tests
this fixes error checking. Test failures were not being detected
otherwise

Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-11-10 14:24:21 +11:00
Andrew Bartlett
7f8f7159af lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystem
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
0ce09fcf7a lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1b7cc4ac7c lib/util Rename samba_init_module_fn -> samba_module_init_fn
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
87354c9a6d lib/util Split samba-modules library into public and private parts
This will allow OpenChange to get at the symbols it needs, without
exposing any more of this as a public API than we must.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
b7b798e15b lib/util Rename load_samba_modules -> samba_modules_load
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
ce0ccc2a2e lib/util Rename run_init_functions -> samba_init_module_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1935b7b6c2 lib/util Rename init_module_fn to samba_init_module_fn
This prepares for making the samba_module.h header public again, for OpenChange.

I am keen to avoid too much API namespace pollution if we can.
2011-10-28 13:10:28 +02:00
Andrew Bartlett
7cf00e3231 gensec: Add parinoia about integer wrapping 2011-10-28 13:10:28 +02:00
Simo Sorce
8870daeb8d idl: Improve MS-PAC IDL
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24 19:19:28 +02:00
Stefan Metzmacher
c9ddc50108 auth/gensec: fix missleading comment
We don't talloc_reference for tsocket_addresses.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 24 15:29:47 CEST 2011 on sn-devel-104
2011-10-24 15:29:47 +02:00
Stefan Metzmacher
061dad7727 auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature test
metze
2011-10-22 09:28:26 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
3f9ab2e8e7 ntlmssp: Refuse to seal if we did not negotiate to sign
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
86d684e4d6 gensec: Refuse to seal if we did not negotiate to sign
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
0d5de7e19c gensec: Assert that we have not been subject to a downgrade attack in DCE/RPC clients
Because of the calling convention, this is the best place to assert
that we have not been subject to a downgrade attack on the negotiated
features.  (In DCE/RPC, this isn't a negotiation, the client simply
specifies the level of protection that is required).

Andrew Bartlett

(some formatting fixes)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
c77964724d gensec: an event context is no longer mandetory
If you do not specify one however, you better know that the modules
you are using do not need one!

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
02eef4d130 ntlmssp: Put members from auth_ntlmssp_state into gensec_ntlmssp_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
968b3674b1 ntlmssp: Prepare gensec_ntlmssp_start() for broader use
This moves the allocation of the ntlmssp pointer back to the callers.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
5e6543ad76 build: compile gensec_start.c and credentials.c in the autoconf build
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
734e5c521c credentials: Prioritise command-line specified options above defaults from smb.conf
If a user specified -W or --realm on the command line, then this is
of level SPECIFIED, not UNINITIALISED, despite it going via the
loadparm system.

This helps us to ensure that -W server -Ulocaluser is parsed the
same as -Userver\localuser.  This matters as otherwise we might
instead attempt to use kerberos to the realm from the smb.conf.

Andrew Bartlett
2011-10-18 13:13:30 +11:00
Andrew Bartlett
454986298a gensec: trim header includes back to what is actually required
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 11 06:13:08 CEST 2011 on sn-devel-104
2011-10-11 06:13:08 +02:00
Andrew Bartlett
534355fecf auth/credentials Declare remaining functions are public interfaces and put into credentials.h
This is in preperation for this file being used by s3, and recognises that these are all
reasonable, public interfaces but were not declared as such in the past.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
fe02752ed6 auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
561d834123 auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level.  This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Ewoud Kohl van Wijngaarden
2d6571d2e5 Add missing com_err dependencies
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Oct  6 02:10:21 CEST 2011 on sn-devel-104
2011-10-06 02:10:21 +02:00
Andrew Bartlett
af5f494bd2 build: provide tevent-util as a public library
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.

Andrew Bartlett
2011-08-08 13:34:06 +02:00
Andrew Bartlett
35b309fa0c gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.

Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.

Andrew Bartlett
2011-08-03 18:48:02 +10:00
Andrew Bartlett
d3fe48ba48 gensec: Remove mem_ctx from calls that do not return memory
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
16b2118b43 gensec: split GENSEC into mechanism-dependent and runtime functions
The startup and runtime functions that have no dependencies are moved
into the top level.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
9d09b66f41 auth: Set NETLOGON_GUEST and use it to determine guest status
These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
7f64ea456b auth: Move make_user_info_SamBaseInfo() to talloc_strdup and out of memory checking
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
52b28ec813 auth: Split out make_user_info_SamBaseInfo and add authenticated argument
This will allow the source3 auth code to call this without needing to
double-parse the SIDs

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Andrew Bartlett
a39187f0f5 auth: include auth.idl structures into common_auth.h
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
fa18267042 auth: Preserve guest flag on transition via netr_SamInfo3
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
55ad1da888 Add my copyright
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:09 +10:00
Stefan Metzmacher
9ba10877aa auth/kerberos/gssapi_pac: fix compiler warnings
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
2011-06-15 19:06:24 +02:00
Günther Deschner
9211f232aa auth/auth_sam_reply.h: fix licence/copyright
Guenther
2011-06-10 15:11:16 +02:00
Andrew Bartlett
a2ff3e7c61 build: Make auth_sam_reply a library 2011-05-18 16:12:08 +02:00
Andrew Bartlett
6990536000 auth: allow auth_common.h to be included multiple times without error 2011-05-08 10:56:27 +02:00
Gordon Ross
ac25835ab7 Fix Samba3 on OpenIndiana.
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.

(OpenIndiana is an off-shoot of OpenSolaris  See http://www.openindiana.org)

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May  7 02:20:14 CEST 2011 on sn-devel-104
2011-05-07 02:20:14 +02:00
Andrew Bartlett
47e2870228 auth/kerberos Add check for gss_inquire_sec_context_by_oid
Not all kerberos distributions have this function.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
2011-04-27 07:39:08 +02:00
Andrew Bartlett
f0ce322c77 auth/kerberos Move all the PAC handling functions to auth/kerberos 2011-04-27 11:56:48 +10:00
Andrew Bartlett
6ec4306f8c auth/kerberos: Create common helper to get the verified PAC from GSSAPI
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
2011-04-27 11:56:48 +10:00
Günther Deschner
7a558ea27c s3-waf: fix the build after auth changes.
Andrews, please check.

Guenther
2011-02-10 12:58:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Günther Deschner
95f9542e05 s3-auth: remove global include of krb5pac.h.
Guenther
2010-08-31 23:17:40 +02:00
Andrew Bartlett
23994e1b53 s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.

In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-14 11:58:13 +10:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00