IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.
TODO: we should implement header signing using gss_wrap_iov().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We had a warning about the enum being defined in the parameter list:
warning: ‘enum credentials_obtained’ declared inside parameter list
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Sun Oct 27 02:25:47 CET 2013 on sn-devel-104
We should treat most gensec related structures private.
It's a long way, but this is a start.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
before calling schannel_session_key(), as we don't provide
GENSEC_FEATURE_SESSION_KEY.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's a sequence number attached to the connection,
which needs to be incremented with each message...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to use the same computer_name we used in the netr_Authenticate3
request.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 2 03:57:34 CET 2013 on sn-devel-104
Signed-off-by: Guenter Kukkukk <kukks@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows a password alone to be used to accept kerberos tickets.
Of course, we need to have got the salt right, but we do not need also
the correct kvno. This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
If we create a copy of the credential state we miss updates to the
credentials.
To establish a netlogon schannel connection we create client credentials
and authenticate with them using
dcerpc_netr_ServerAuthenticate2()
For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.
After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.
After that we continue and need the client credentials to call
dcerpc_netr_LogonGetCapabilities()
to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.
The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.
dcerpc_netr_SamLogonWithFlags.
We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.
Signed-off-by: Günther Deschner <gd@samba.org>
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
To remove finddcs_nbt these missing deps need to be added. These
subsystems linked to to implicit dependencies provided by finddcs.
Due to the new arrangmenet of subsystems, MESSAGING needs to be a
private library to avoid being a source of duplicate symbols.
Andrew Bartlett
This is also where the related krb5_princ_component is declared.
Also fix the configure check to use the correct name
This helps the autoconf build on Heimdal.
Andrew Bartlett
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
Thanks to Wolfgang Sourdeau for reporting this.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
For now let's just loose this functionality with the MIT build.
gss_import/export_cred should be availa ble when MIT 1.11 is released and this
code is used only in some proxy scenario. Not normally needed for common
configurations.
Unfortunately these functions are not available in MIT and there is no easy
workaround or compat funciton I can see at this stage. Will fix properly once
MIT gets the necessary functions or if another workaround can be found.
Make it clearly a gensec_krb5 accessory file.
This function should never be used anywhere else.
This function was copied out from the Heimdal tree and is kept in a separate
file for clarity and to keep the original license boilerplate.
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
The remaining gssapi_parse functions were used exclusively in
gensec_krb5. Move them there and make them static.
Signed-off-by: Andreas Schneider <asn@samba.org>
This is clearly a utiliy function generic to gensec. Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.
Signed-off-by: Andreas Schneider <asn@samba.org>
This allows us to make parse_principal static in kerbeors_util again and
avoid a silly game where we alloc containers and set destrcutors only to
release the whole thing at the end of the function.
Signed-off-by: Andreas Schneider <asn@samba.org>
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and
make it static, one less dependency to worry about.
Signed-off-by: Andreas Schneider <asn@samba.org>
This matches check_ntlm_password() and generate_session_info_pac()
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess. We will also get the client code in common very soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matches what Samba3 does.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
This avoids casting to and from the struct auth_user_info_dc *user_info_dc
to to this, the
if (user_info_dc->info->authenticated)
is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.
Andrew Bartlett
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info. This will allow the
calling logic to be put in common.
Andrew Bartlett
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 11 10:49:13 CET 2012 on sn-devel-104
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
These are defined in the krb5 abstraction headers elsewhere.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Jan 9 14:32:08 CET 2012 on sn-devel-104
This makes the dependencies simpler, as this code path is no longer
required. (That is, it makes no sense to have an NTLM login without
an auth context, and the gensec_gssapi and gensec_krb5 modules call
the PAC blob function below instead).
Andrew Bartlett
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.
Andrew Bartlett
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.
Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
Windows-Members of NT4/Samba3 domains, send
MechTypes:
1.3.6.1.4.1.311.2.2.10 [NTLMSSP]
1.2.840.48018.1.2.2 [krb5 broken]
1.2.840.113554.1.2.2 [krb5]
MechToken for NTLMSSP.
This patch makes sure we start NTLMSSP with the given MechToken,
instead of trying to pass the NTLMSSP MechToken to the krb5 backend
first. As that would fail the authentication with an error
instead of trying fallbacks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.
Based on a request by Gémes Géza <geza@kzsdabas.hu>
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
This avoids keeping the event context around on a the gensec_security
context structure long term.
In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This will allow gensec_start.c to move to the top level. This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.
Andrew Bartlett
This is done so that the lpcfg_ functions are available across the whole
build, either with the struct loadparm_context loaded from an smb.conf directly
or as a wrapper around the source3 param code.
This is not the final, merged loadparm, but simply one step to make
it easier to solve other problems while we make our slow progress
on this difficult problem.
Andrew Bartlett