samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

Author	SHA1	Message	Date
Andreas Schneider	e467eefb10	gensec: Cast data for MIT Kerberos correctly In Heimdal the data pointer is a void pointer so casting to 'char *' is not an issue. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-01-12 15:35:12 +01:00
Andreas Schneider	9b263c5778	gensec: Fix picky developer with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-01-12 15:35:12 +01:00
Stefan Metzmacher	4b295b106c	wscript: remove executable bits for all wscript* files These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144	2017-01-11 20:21:01 +01:00
Stefan Metzmacher	3a870baee8	s4:gensec_gssapi: require a realm in gensec_gssapi_client_start() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Stefan Metzmacher	48bcca566e	s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname() If gensec_get_target_principal() has a value, we no longer have to verify the gensec_get_target_hostname() value, it can be just an ipadress. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Stefan Metzmacher	ea0c35fbd1	s4:auth/gensec: remove unused dependencies to gensec_util gensec_util only contains gensec_tstream and is already a public_dep of 'gensec' itself. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Volker Lendecke	efb5f38f1f	auth4: Use "all_zero" where appropriate ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>	2017-01-03 16:04:29 +01:00
Andreas Schneider	fd98174443	auth/gensec: Fix typo in log message Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
David Mulder	99d8788028	auth/gensec: Remove unneeded cli_credentials_set_conf() call The cli_credentials_set_client_gss_creds() will set the correct realm from the gss creds. Pair-Programmed-With: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: David Mulder <dmulder@suse.com> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
Stefan Metzmacher	6459543b5a	CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>	2016-12-20 07:51:14 +01:00
Garming Sam	683fcad3ca	doc: Add doxygen for functions in srv_keytab.c Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882	2016-11-22 02:10:16 +01:00
Garming Sam	b02da11498	s4-auth: Don't check for NULL saltPrincipal if it doesn't need it This check causes 4.1 domains to be unable to change their DNS backend correctly as they do not have the saltPrincipal value stored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-11-22 02:10:16 +01:00
Stefan Metzmacher	558e78c7e3	s4:gensec_gssapi: We need to use the users realm in the target_principal This is important in order to let the kdc of the users realm start with the trust referral routing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-11-15 11:00:26 +01:00
Stefan Metzmacher	f0afefefe4	s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size() We need to calculate the signature length based on the negotiated flags. This is most important on the server side where, gss_accept_sec_context() doesn't get gss_want_flags, but fills gss_got_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Stefan Metzmacher	cca980eb51	s4:gensec_krb5: also report support for GENSEC_FEATURE_SIGN as krb5_mk_priv() provides sign and seal Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Andreas Schneider	28eae08ef7	gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144	2016-09-29 11:56:41 +02:00
Andreas Schneider	64b2b0dacd	gensec_krb5: Create a MIT Kerberos gensec_krb5_session_info() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>	2016-09-29 08:02:18 +02:00
Volker Lendecke	0a42a4c14b	wbclient: "ev" is no longer used in wbc_sids_to_xids Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-09-28 00:04:36 +02:00
Andreas Schneider	4a8b588dc0	gensec_krb5: Do not leak memory of target_principal CID 1372504 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 9 04:20:04 CEST 2016 on sn-devel-144	2016-09-09 04:20:04 +02:00
Andreas Schneider	2ac297562f	krb5_wrap: Rename kerberos_kinit_s4u2_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	696cfcb3c0	krb5_wrap: Rename kerberos_kinit_password_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	15c5dd700c	krb5_wrap: Rename kerberos_kinit_keyblock_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	1877950250	krb5_wrap: Rename get_krb5_smb_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:14 +02:00
Andreas Schneider	e8632e2af5	krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	81917a1162	krb5_wrap: Rename setup_kaddr() Use a better and consistent name and switch the arguments to reflect the name. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	faa3bef690	gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144	2016-08-30 15:24:02 +02:00
Andreas Schneider	7f9a075d9c	gensec_krb5: Use implementation idependent krb5_mk_req_extended() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	739a7adaef	gensec_krb5: Use kerberos_free_data_contents() to free krb5 data Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	8268501972	gensec_krb5: Only set the event context with Heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	7ea7b60649	gensec_krb5: Use krb5_wrap setup_kaddr() to convert address Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	ab8628ac7a	gensec_krb5: Rename smb_rd_req_return_stuff() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Andreas Schneider	de224d7006	gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Stefan Metzmacher	8b1f5cad95	auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-07-22 23:34:22 +02:00
Stefan Metzmacher	3eba60aa65	auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6 This includes user_principal_name and dns_domain_name. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	b67ea0e123	s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	6257003dff	s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	432e83bf5b	s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal() This is more generic and matches all other places. As this is only used in the KDC it's not a real logic change. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	853c2a6d8a	s4:auth/sam: update the logonCount for interactive logons Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	869616ceb9	s4:auth/sam: don't update lastLogon just because it's 0 currently Non interactive logons doesn't trigger an update unless the (effective) badPwdCount is not 0 and lockoutTime is 0. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	1acd477960	s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already Non interactive logons doesn't reset badPwdCount to 0 when the effective badPwdCount is already 0 (with (badPasswordTime + lockOutObservationWindows) < now). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	b73cb40dd2	s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Stefan Metzmacher	9be4860511	s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change() The logic in samdb_result_force_password_change() is incomplete and the correct logic is already available via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Andreas Schneider	a737efe2bd	s4-ntlm: Fix a NULL pointer dereference in error path Found by clang compiler. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 22 23:21:33 CEST 2016 on sn-devel-144	2016-06-22 23:21:33 +02:00
Stefan Metzmacher	d247dceaaa	s4:auth_anonymous: anonymous authentication doesn't allow a password BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:16 +02:00
Stefan Metzmacher	8704958fb3	s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:15 +02:00
Stefan Metzmacher	4c4829634f	CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:23 +02:00
Stefan Metzmacher	0f6713826d	s4:pygensec: make sig_size() and sign/check_packet() available Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-03-10 06:52:27 +01:00
Aurelien Aptel	34ae5c5083	s4/auth/ntlm/auth_unix.c: add parens operator \| has lower precedence than ?: so add parens to have the expected result. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>	2016-03-10 00:08:11 +01:00
Andrew Bartlett	ffc7536330	pyauth: Use pytalloc_BaseObject_PyType_Ready() This changes pyauth to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00
Andrew Bartlett	0f35167d76	pygensec: Use pytalloc_BaseObject_PyType_Ready() This changes pygensec to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00

1 2 3 4 5 ...

1828 Commits