1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

38 Commits

Author SHA1 Message Date
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Stefan Metzmacher
ab25cdfa9d CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.

Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Günther Deschner
a5264b187b mit: make it possible to build with MIT kerberos and --picky-developer
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-09-29 08:02:18 +02:00
Christof Schmitt
20319ba51e gensec: Change log level for message when obtaining PAC from gss_get_name_attribute failed
This is the second part for the issue from commit 8bb4fccd. A KDC that
does not return a PAC first triggers this message, then the "resorting
to local user lookup" one. Change the log level for the "obtaining PAC
via GSSAPI gss_get_name_attribute" message as well to avoid spamming the
logs during normal usage. While changing this message, also remove the
discard_const since it is no longer required.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  6 04:27:03 CEST 2016 on sn-devel-144
2016-07-06 04:27:03 +02:00
Uri Simchoni
77f3730295 auth: fix a memory leak in gssapi_get_session_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006

Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Wed Jul  6 00:40:15 CEST 2016 on sn-devel-144
2016-07-06 00:40:15 +02:00
Andreas Schneider
ab0cbf9bba auth: Fix picky const warnings in gssapi_pac
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-11-23 15:17:18 +01:00
Stefan Metzmacher
8a4c0abb3e auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
bf77d78fd8 auth/kerberos: remove allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
21ed0efac0 auth/kerberos: avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Andrew Bartlett
e48d136e3a auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
This ensures that if an enterprise principal is used, we do the
comparison properly

This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.

Otherwise, we get errors like:
 Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
35e9915589 auth/kerberos: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:46 +02:00
Günther Deschner
baed403983 auth/kerberos: fix a typo.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Andrew Bartlett
d59688a8e7 auth/kerberos: add HAVE_KRB5 guard to fix non-krb5 build after winbindd pac changes
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
2012-09-22 02:44:07 +02:00
Christof Schmitt
05befd2f73 auth/kerberos: Adjust log level for failed PAC signature verification
With winbindd trying to verify the signature of an application provided
PAC, this message can be easily triggered. Adjust the debug level to
avoid filling up the logs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Andrew Bartlett
0f21fe7666 auth/kerberos: Do not do pointer arithmatic on a void *
Found with -Werror=pointer-arith

Andrew Bartlett
2012-07-30 14:25:09 +10:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Alexander Bokovoy
238d24af4e auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.

The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087

We need to initialize variables before using gss_get_name_attribute()

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun  6 18:22:51 CEST 2012 on sn-devel-104
2012-06-06 18:22:51 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
3fd6deda7d auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5.  Move them there and make them static.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
d857e393ac auth-krb: Use simpler method to extract keytype.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Andrew Bartlett
9a11f2ea09 auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key type
The key type OID is optional, but we require that information to determine if
we should use NEW_SPNEGO.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Mar  8 11:53:57 CET 2012 on sn-devel-104
2012-03-08 11:53:57 +01:00
Andrew Bartlett
5b372d7015 auth/kerberos: Ensure we do not print invalid memory in failure case
This codeblock may not have any set->elements, so we should not print them.  Copy&paste in the original code.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
674278d5b0 auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
2012-02-17 17:36:38 +11:00
Andrew Bartlett
b69c40ffce auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksum 2012-01-12 18:02:54 +11:00
Andrew Bartlett
b213514631 auth/kerberos: Remove unused headers from gssapi_parse.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:25:20 +01:00
Andrew Bartlett
2f0ba1435d auth/kerberos: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:26:06 +11:00
Andrew Bartlett
f320fb3df4 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional 2011-12-29 09:36:24 +11:00
Andrew Bartlett
9a085b0b80 auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Ewoud Kohl van Wijngaarden
2d6571d2e5 Add missing com_err dependencies
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Oct  6 02:10:21 CEST 2011 on sn-devel-104
2011-10-06 02:10:21 +02:00
Stefan Metzmacher
9ba10877aa auth/kerberos/gssapi_pac: fix compiler warnings
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
2011-06-15 19:06:24 +02:00
Gordon Ross
ac25835ab7 Fix Samba3 on OpenIndiana.
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.

(OpenIndiana is an off-shoot of OpenSolaris  See http://www.openindiana.org)

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May  7 02:20:14 CEST 2011 on sn-devel-104
2011-05-07 02:20:14 +02:00
Andrew Bartlett
47e2870228 auth/kerberos Add check for gss_inquire_sec_context_by_oid
Not all kerberos distributions have this function.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
2011-04-27 07:39:08 +02:00
Andrew Bartlett
f0ce322c77 auth/kerberos Move all the PAC handling functions to auth/kerberos 2011-04-27 11:56:48 +10:00
Andrew Bartlett
6ec4306f8c auth/kerberos: Create common helper to get the verified PAC from GSSAPI
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
2011-04-27 11:56:48 +10:00