1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1769 Commits

Author SHA1 Message Date
Simo Sorce
6bec64b12a s4-auth-krb: Make srv_keytab.c build against MIT Kerberos 2012-05-04 16:51:29 +02:00
Simo Sorce
548046ff4d Fix incompatible assignment warning 2012-05-04 16:51:29 +02:00
Simo Sorce
205b032061 Fix compiler warning 2012-05-04 16:51:29 +02:00
Simo Sorce
cf7d15e075 s4-auth-krb: Use compat code to initialize keyblock contents 2012-05-04 16:51:29 +02:00
Simo Sorce
62f3be7af3 s4-auth-krb: Disable code in MIT build
Unfortunately these functions are not available in MIT and there is no easy
workaround or compat funciton I can see at this stage. Will fix properly once
MIT gets the necessary functions or if another workaround can be found.
2012-05-04 16:51:28 +02:00
Simo Sorce
c2f663263c Move keytab_copy to krb5samba lib
This is a helper fucntion that uses purely krb5 code, so it belongs to
krb5samba which is the krb5 wrapper for samba.
2012-05-04 16:51:28 +02:00
Simo Sorce
94b9af6ac6 Fix keytab_copy to compile with MIT librariues too 2012-05-04 16:51:28 +02:00
Simo Sorce
07953e19fc keytab_copy: Fix style, whitespaces 2012-05-04 16:51:28 +02:00
Simo Sorce
57dc8aa1b2 kerberos_pac: Fix code to work with MIT too 2012-05-04 16:51:28 +02:00
Simo Sorce
a2de8a12d3 s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5
Make it clearly a gensec_krb5 accessory file.
This function should never be used anywhere else.
This function was copied out from the Heimdal tree and is kept in a separate
file for clarity and to keep the original license boilerplate.
2012-05-04 16:51:28 +02:00
Simo Sorce
3109a3de1f Split normal kinit from s4u2 flavored kinit
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
2012-05-04 16:51:28 +02:00
Simo Sorce
29d284c245 Move kerberos_kinit_password_cc to krb5samba lib 2012-05-04 16:51:28 +02:00
Simo Sorce
38a5a2c5c5 Move kerberos_kinit_keyblock_cc to krb5samba lib
Make it also work with MIT where krb5_get_in_tkt_with_keyblock is not
available.
2012-05-04 16:51:28 +02:00
Simo Sorce
aa1a0d80de krb-init: define out heimdal specific stuff in mitkrb build 2012-05-04 16:51:28 +02:00
Simo Sorce
9a585a3141 s4-auth-krb: avoid useless condition
Code bails out with ENOMEM 2 lines a bove if config_file is NULL anyways
2012-05-04 16:51:28 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
f7070c90b9 For now just disable this Heindal specific stuff in the MIT build 2012-04-23 16:40:49 -04:00
Simo Sorce
110dad8c9e Make krb5 context initialization not heimdal specific
Turn the logging data to an opaque pointer.
Ifdef code and use MIT logging function when built against system MIT.
2012-04-23 16:40:05 -04:00
Simo Sorce
70d44a9a17 Fix Error messages 2012-04-19 15:55:30 +02:00
Alexander Bokovoy
f9ec6ff073 s4-auth: Make sure ldb context is initialized even if not passed by Python code
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Sat Apr 14 00:21:00 CEST 2012 on sn-devel-104
2012-04-14 00:20:59 +02:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
3fd6deda7d auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5.  Move them there and make them static.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
a46e465ce0 s4-auth-krb: Remove unneded dependency on kerberos_util.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
aedbd6bf8e s4-auth-krb: Simplify salt_princ handling.
This allows us to make parse_principal static in kerbeors_util again and
avoid a silly game where we alloc containers and set destrcutors only to
release the whole thing at the end of the function.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
6de578a8f7 s4-auth-krb: Move function to db-glue.c and make it static.
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and
make it static, one less dependency to worry about.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
b226955587 s4-auth-krb: Move keytab functions in a separate file.
Confine ldb dependency.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
7d203f70ae s4-auth-krb: Streamline and cleanup code to make it readable.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
23d54e7f92 s4-auth-krb: streamline and rename enctype functions
better express what is being done in the function name.
2012-04-12 12:06:42 +02:00
Simo Sorce
6f7fa0bd2f s4-auth-krb: Make kerberos_enctype_bitmap_to_enctype static.
It's a helper function not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
60905c807a s4-auth-krb: Make kerberos_enctype_bitmap_to_enctypes static.
It is not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
670dbde65e s4-auth-krb: Move function into more appropriate header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
b574e7cd81 s4-auth-krb: Make impersonate_principal_from_credentials static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
93aa4511b9 gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
6ab0dfe0d9 krb5_wrap: remove duplicate declaration and dead ifdef
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Stefan Metzmacher
93261a1184 s4:auth/gensec/schannel: initialize struct schannel_state to zero
metze
2012-03-02 07:07:10 +01:00
Stefan Metzmacher
f7acb36784 s4:auth/gensec/schannel: make a copy of netlogon_creds_CredentialState in the client
This is really a copy for the lifetime of the rpc connection.

metze
2012-03-02 07:07:10 +01:00
Andrew Bartlett
e3cebef0cf auth: Rename some elements of auth4_context
These operate on NTLM authentication, so make that clear.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Jelmer Vernooij
e33441fafd pygensec: Fix whitespace. 2012-02-18 23:52:37 +01:00
Andrew Bartlett
e786e8fef9 auth: Reorder arguments to generate_session_info
This matches check_ntlm_password() and generate_session_info_pac()

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-18 02:19:35 +01:00
Andrew Bartlett
52ac479764 auth: Move the rest of the source4 gensec_ntlmssp code to the top level
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess.  We will also get the client code in common very soon.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
674278d5b0 auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
2012-02-17 17:36:38 +11:00
Andrew Bartlett
caf485a2bd auth: Pass in the SMB username (for %U) into generate_session_info
This matches what Samba3 does.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
2012-02-13 01:25:59 +01:00
Andrew Bartlett
3ddb983c10 gensec: inline gensec_generate_session_info() into only caller
This avoids casting to and from the struct auth_user_info_dc *user_info_dc

to to this, the

if (user_info_dc->info->authenticated)

is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
fc035afb6e s4-auth: Return NT_STATUS_NOT_IMPLEMENTED if the challenge cannot be obtained 2012-01-30 08:05:14 +01:00
Andrew Bartlett
a647df4607 auth: Make check_password and generate_session_info hook generic
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info.  This will allow the
calling logic to be put in common.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Stefan Metzmacher
30b1e72556 s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
metze
2012-01-20 23:55:54 +01:00
Stefan Metzmacher
01f246e873 auth/gensec: move spnego.c to the toplevel
metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
d88af2fe24 auth/gensec: common helper functions should be in gensec_util.c
This makes the dependencies easier to handle.

metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
3ad7ca59b3 s4:auth/gensec: inline packet_full_request_u32()
This removes the dependency to s4 specific code.

metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
36829cff8f s4:auth/gensec: fix compiler warnings in spnego.c
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
891318ee4c s4:auth/gensec/spnego: add support for fragmented spnego messages
metze
2012-01-12 13:15:08 +01:00
Stefan Metzmacher
b3f8f7e8a3 s4:pygensec: add set_max_update_size() and max_update_size() functions
metze
2012-01-12 13:15:08 +01:00
Andrew Bartlett
fc2c76f921 s4:auth: Make sure to check the optional auth_context hooks before using them
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 11 10:49:13 CET 2012 on sn-devel-104
2012-01-11 10:49:13 +01:00
Andrew Bartlett
98ba33b258 gensec: Rename want_flags and got_flags in gensec_gssapi
This make it clearer what type of flags these are.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:11:22 +01:00
Andrew Bartlett
226c3ef7a6 gensec: make gensec_gssapi.h common
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:10:02 +01:00
Andrew Bartlett
f5a117172e gensec: move gensec_util.c to the top level
To do this some defines need to move to common_auth.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:02:41 +01:00
Andrew Bartlett
14c8a13d3e auth: make auth4_context common to provide access to generate_session_info_pac()
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:59:34 +01:00
Andrew Bartlett
cfe68f2d5f krb5: Require krb5_set_real_time is available to build with krb5 2012-01-10 21:50:07 +01:00
Günther Deschner
88258c3b93 s4-kerberos: remove some unused prototypes.
These are defined in the krb5 abstraction headers elsewhere.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Jan  9 14:32:08 CET 2012 on sn-devel-104
2012-01-09 14:32:08 +01:00
Andrew Bartlett
60c66118b3 ntlmssp: merge initial packet implementations
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06 13:18:40 +01:00
Stefan Metzmacher
1d4cc2a64f s4:pygensec: add session_key() method
metze
2012-01-04 20:55:04 +01:00
Andrew Bartlett
e3f4a6692c s4-gensec: Rename memory contexts in gensec_util for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:34:28 +11:00
Andrew Bartlett
5316e86f5c s4-gensec: Rename memory contexts in gensec_krb5 for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:33:27 +11:00
Andrew Bartlett
a085446d0c s4-gensec: Rename memory contexts in gensec_gssapi for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:31:36 +11:00
Andrew Bartlett
06bbb8a6fb s4-auth: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:30:07 +11:00
Andrew Bartlett
c2d6509c0b s4-gensec remove auth_session dep from gensec_gssapi.c
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
2011-12-29 05:37:11 +01:00
Andrew Bartlett
3f5d30c8cb s4-gensec Remove fallback for simple privileges
This makes the dependencies simpler, as this code path is no longer
required.  (That is, it makes no sense to have an NTLM login without
an auth context, and the gensec_gssapi and gensec_krb5 modules call
the PAC blob function below instead).

Andrew Bartlett
2011-12-29 14:01:56 +11:00
Andrew Bartlett
fe693e9148 s4-torture: Demonstrate handling of the PAC in a custom auth_context
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.

Andrew Bartlett
2011-12-29 14:01:55 +11:00
Andrew Bartlett
2ee67e37c2 s4-pyauth: Make sure event context allows nesting 2011-12-29 14:01:55 +11:00
Andrew Bartlett
149f8f16be s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.

This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29 01:10:58 +01:00
Andrew Bartlett
fc226f81c6 s4-gensec: fix cyrus sasl module after update() protype change 2011-12-29 09:36:24 +11:00
Andrew Bartlett
5815a1b777 s4-auth Remove unused auth_context_create_from_ldb() 2011-12-28 22:39:20 +11:00
Andrew Bartlett
f7a866a17c s4-gensec: Allow a PAC to be obtained from any GSS mech
This may allow Luke Howard's moonshot to work with a little less effort
at some point in the future.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
9a085b0b80 auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
cfb9a9d650 s4-ntlmssp Do not allow LM key without a LM password 2011-12-28 22:39:19 +11:00
Andrew Bartlett
0344e7278b auth: Allow a NULL principal to be obtained from the credentials
This is important when trying to let GSSAPI search the keytab.

Andrew Bartlett
2011-12-07 10:43:52 +11:00
Jelmer Vernooij
05bc4de083 Revert making public of the samba-module library.
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.

Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec  3 08:36:33 CET 2011 on sn-devel-104
2011-12-03 08:36:30 +01:00
Stefan Metzmacher
de553b52f2 s4:gensec/spnego: only try the mechs that match the client given ones
Windows-Members of NT4/Samba3 domains, send

MechTypes:
1.3.6.1.4.1.311.2.2.10 [NTLMSSP]
1.2.840.48018.1.2.2    [krb5 broken]
1.2.840.113554.1.2.2   [krb5]

MechToken for NTLMSSP.

This patch makes sure we start NTLMSSP with the given MechToken,
instead of trying to pass the NTLMSSP MechToken to the krb5 backend
first. As that would fail the authentication with an error
instead of trying fallbacks.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
2011-11-30 17:03:29 +01:00
Andrew Bartlett
2bff209128 s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.

Based on a request by Gémes Géza <geza@kzsdabas.hu>

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-11-29 09:20:54 +01:00
Andrew Bartlett
f93ec5a027 s4-auth log details about any token we fail to convert to a unix token
Now that entries are being added into the idmap DB from Samba3, and
may be UID or GID but not BOTH, failures are more likely.

Andrew Bartlett
2011-11-18 14:38:28 +11:00
Andrew Bartlett
0ce09fcf7a lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1b7cc4ac7c lib/util Rename samba_init_module_fn -> samba_module_init_fn
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
87354c9a6d lib/util Split samba-modules library into public and private parts
This will allow OpenChange to get at the symbols it needs, without
exposing any more of this as a public API than we must.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
ce0ccc2a2e lib/util Rename run_init_functions -> samba_init_module_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1935b7b6c2 lib/util Rename init_module_fn to samba_init_module_fn
This prepares for making the samba_module.h header public again, for OpenChange.

I am keen to avoid too much API namespace pollution if we can.
2011-10-28 13:10:28 +02:00
Simo Sorce
8870daeb8d idl: Improve MS-PAC IDL
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24 19:19:28 +02:00
Stefan Metzmacher
9b407ee6d5 s4:auth/unix_token: match s3 behavior and add uid/gid to the groups array
If mappings use ID_TYPE_BOTH.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Oct 18 10:39:54 CEST 2011 on sn-devel-104
2011-10-18 10:39:54 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
f88b686167 gensec: move event-using code to gensec_update() hooks out of gensec_start*()
This ensures that only gensec_update() will require an event context argument
when the API is refactored.

Andrew Bartlett
2011-10-18 13:13:33 +11:00
Andrew Bartlett
09c5acdec8 s4-auth: match the new s3 gensec client and always negotiate SIGN with SEAL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
968b3674b1 ntlmssp: Prepare gensec_ntlmssp_start() for broader use
This moves the allocation of the ntlmssp pointer back to the callers.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
5603dab647 libcli/auth: Provide a struct loadparm_context to schannel calls
This will allow us to pass this down to the tdb_wrap layer.

Andrew Bartlett
2011-10-13 14:06:07 +02:00
Andrew Bartlett
fe02752ed6 auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
561d834123 auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level.  This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
b21b012756 lib/param move source4 param code to the top level
This is done so that the lpcfg_ functions are available across the whole
build, either with the struct loadparm_context loaded from an smb.conf directly
or as a wrapper around the source3 param code.

This is not the final, merged loadparm, but simply one step to make
it easier to solve other problems while we make our slow progress
on this difficult problem.

Andrew Bartlett
2011-10-11 13:41:34 +11:00
Andrew Bartlett
7d33ec3dfe lib/util: consolidate module loading into common code
This creates a samba-modules private libary that handles the details.

Andrew Bartlett
2011-10-06 07:18:07 +02:00
Andrew Tridgell
63319c169f s4-auth: fixed formatting of some DEBUG() lines
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Oct  5 09:45:15 CEST 2011 on sn-devel-104
2011-10-05 09:45:15 +02:00
Andrew Tridgell
71f3a25ff7 s4-auth: rework map_user_info() to use cracknames
to properly support multi-domain forests we need to determine if an
incoming username is part of a known forest domain or not. To do this
for all possible SPN forms, we need to use CrackNames.

This changes map_user_info() to use CrackNames if a SAM context is
available, and asks the CrackNames services to parse the incoming
username and domain into a NT4 form, which can then be used in the
SAM.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Andrew Tridgell
0c944d07dc s4-sam: don't look in GC NCs for user accounts
We need to exclude GC partial replica naming contexts from SAM lookups

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Matthias Dieter Wallnöfer
50310ad75d s4:auth - remove unused variables
Reviewed-by: Jelmer
2011-09-19 16:31:07 +02:00
Andrew Bartlett
21c2e8b378 build: make LIBWBCLIENT_OLD and auth_unix_token libraries
This assists with avoiding duplicate symbols.

Andrew Bartlett
2011-09-08 19:33:13 +10:00
Stefan Metzmacher
9d5711e3de s4:auth/gensec: gensec.h was moved to gensec_runtime
metze
2011-09-06 15:22:19 +02:00
Jelmer Vernooij
a0eac61ace gensec: Install header file. 2011-08-21 03:22:05 +02:00
Jelmer Vernooij
7ebdd3f683 samba-credentials: Add pkg-config file. 2011-08-21 03:22:04 +02:00
Jelmer Vernooij
292fe74971 credentials: Rename library to samba-credentials to avoid name clashes.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-18 22:16:38 +02:00
Jelmer Vernooij
88ecf1a9b8 Use public pytalloc header file.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
2011-08-14 17:18:46 +02:00
Simo Sorce
c84caabf8c s4:misc: remove last usage of legacy event_ fn names
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
2011-08-14 00:38:13 +02:00
Jelmer Vernooij
f8ec7f6cb1 pytalloc: Use consistent prefix for functions, add ABI file. 2011-08-10 15:36:21 +02:00
Stefan Metzmacher
100565b8cc s4:pycredentials: PyArg_ParseTuple("i") requires an 'int' argument.
If we pass variable references we don't get implicit casting!

metze
2011-08-08 16:45:27 +02:00
Andrew Bartlett
db06b61a1d build: Make credentials a public library for OpenChange to use
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Aug  8 14:53:53 CEST 2011 on sn-devel-104
2011-08-08 14:53:53 +02:00
Andrew Bartlett
af5f494bd2 build: provide tevent-util as a public library
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.

Andrew Bartlett
2011-08-08 13:34:06 +02:00
Jelmer Vernooij
fdff105854 pyldb: Consistently use pyldb_ prefix. 2011-08-07 17:08:56 +02:00
Andrew Bartlett
fec25c3a62 ntlmssp: Add ntlmssp_blob_matches_magic()
This avoids having the same check in 3 different parts of the code

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug  3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03 12:45:04 +02:00
Andrew Bartlett
643d05826c gensec: Don't keep a second copy of the auth4_context in gensec_ntlmssp_state
The auth4_context is already in the gensec_security structure, which is
available by de-reference here anyway.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
d69843c908 s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmssp
This allows the current behaviour of the NTLMSSP code to be unchanged
while adding a way to hook in an alternate implementation via an auth
module.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
35b309fa0c gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.

Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.

Andrew Bartlett
2011-08-03 18:48:02 +10:00
Andrew Bartlett
d3fe48ba48 gensec: Remove mem_ctx from calls that do not return memory
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
16b2118b43 gensec: split GENSEC into mechanism-dependent and runtime functions
The startup and runtime functions that have no dependencies are moved
into the top level.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
2663586c8b s4-auth Fill in the remainder of the unix info in auth_session_info
Signed-off-by: Andrew Tridgell <tridge@samba.org>

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
2011-07-29 05:33:03 +02:00
Andrew Bartlett
f5963aad18 s4-auth Move conversion of security_token to unix_token to auth
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Andrew Bartlett
e84b8a72bd gensec: Add a way to request a unix token from GENSEC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Amitay Isaacs
2625199d80 s4auth: Fix the object name for Py_Security
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Amitay Isaacs
6a12f7d66e s4auth: Fix the object names for PyCredentials and PyCredentialCacheContainer
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Amitay Isaacs
b9e0587960 s4auth: Remove duplicate assignment of structure variable
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Stefan Metzmacher
188b28b9d9 s4:auth/kerberos: activate windows related krb5 flags
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
2011-07-25 09:45:01 +02:00
Andrew Bartlett
52b28ec813 auth: Split out make_user_info_SamBaseInfo and add authenticated argument
This will allow the source3 auth code to call this without needing to
double-parse the SIDs

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Stefan Metzmacher
e0541ed98d s4:auth/credentials: with the build after heimdal import
metze
2011-07-15 11:15:05 +02:00
Stefan Metzmacher
ad45072aaf s4:kdc: implement samba_kdc_check_s4u2proxy()
metze
2011-06-24 19:06:44 +02:00
Stefan Metzmacher
033f3376a8 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.

metze
2011-06-22 17:05:14 +02:00
Stefan Metzmacher
b9e095fdfb s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.

metze
2011-06-22 17:02:49 +02:00
Stefan Metzmacher
ede3046b8b s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22 09:10:55 +02:00
Stefan Metzmacher
e5378e600e s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()
This will make the following changes easier to review.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
b98428e630 s4:auth/kerberos: reformat kerberos_kinit_password_cc()
In order to make the following changes easier to review.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
9c56303f5a s4:auth/kerberos: don't mix s4u2self creds with machine account creds
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.

We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
b3d4962087 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()
This will make the following changes easier to review.

metze
2011-06-22 08:00:23 +02:00
Stefan Metzmacher
7cf38425b2 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()
metze
2011-06-22 08:00:23 +02:00
Brad Hards
c017cbfaa4 s4/auth: Trivial spelling fixes.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-21 15:54:32 +10:00
Andrew Bartlett
a1f04e8abc libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbol
The two error tables need to be combined, but for now seperate the names.

(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
2011-06-20 08:12:03 +02:00
Andrew Bartlett
018f4a5889 libcli/util Bring samba4 unix -> nt_status code in common.
Due to library link orders, this is already the function that is being
used.  However we still need to sort out the duplicate symbol issues,
probably by renaming things.

Andrew Bartlett
2011-06-20 14:36:06 +10:00
Matthieu Patou
245b277749 s4: fix wrong index usage PRIMARY_USER_SID_INDEX when it should have been PRIMARY_GROUP_SID_INDEX
The system account was instanciated with wrong user an group SIDs, group
sid resulted being just the domain SID.
Bug seems to date from fbe6d155bf.

Andrew (B.) please check.
2011-06-19 23:21:08 +02:00
Andrew Tridgell
e080ae0faa s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST'
this prevents spurious error messages on client commands when when we
will fallback to NTLM authentication

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-17 15:24:23 +10:00
Matthias Dieter Wallnöfer
cda2fa21eb s4:auth/ntlm/auth_unix.c - remove unused variables
Relicts from commit 323c744571

Reviewed-by: Jelmer
2011-06-11 16:25:57 +02:00
Matthias Dieter Wallnöfer
27f1779814 s4:auth/ntlm/auth.c - fix incompatible pointer type warning
Reviewed-by: Tridge
2011-06-09 09:35:32 +02:00
Andrew Bartlett
c79021382b s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handler
This allows us to print much more debugging in this critical situation.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jun  8 04:19:58 CEST 2011 on sn-devel-104
2011-06-08 04:19:58 +02:00
Andrew Bartlett
9cf686f56f s4-credentials Don't use expired Kerberos or GSSAPI credentials
In a long-lived credentials cache situation, we may need to refetch
the ticket after (say) 10 hours.  This code should help that happen,
by checking the lifetime before returning any credentials cache or
GSSAPI credentials.

Andrew Bartlett
2011-06-08 03:08:22 +02:00
Andrew Bartlett
8dbab93f28 s4-credentials Allow use of file-based credentials caches for debugging.
This means that we will leave a slew of file based credentials caches
in /tmp, which should give some clues to the administrator or
developer via klist as to what has gone wrong.

Andrew Bartlett
2011-06-08 03:08:22 +02:00
Andrew Bartlett
5197331fe5 s4-auth Move default auth methods back into auth.c
This changes auth_methods_from_lp to no longer use the parametric
options, and to cope with ROLE_DOMAIN_BDC and ROLE_DOMAIN_PDC.  This
will assist in calling the source4 auth subsystem with a source3
derived lp_ctx.

Andrew Bartlett
2011-06-07 09:11:01 +10:00
Andrew Bartlett
907cdb5de7 s4-modules Remove lp_ctx from init functions that no longer need it
Now that we don't allow the smb.conf to change the modules dir, many
functions that simply load modules or initialise a subsytem that may
load modules no longer need an lp_ctx.

Andrew Bartlett
2011-06-06 17:37:51 +10:00
Matthias Dieter Wallnöfer
f44808fa11 s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain"
Signed-off-by: Metze
2011-05-21 16:21:12 +02:00
Stefan Metzmacher
053ef0f605 s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROS
Otherwise we would not impersonate the desired principal.
This still doesn't work for plaintext auth, but should
avoid ntlmssp.

metze
2011-05-18 07:46:41 +02:00
Stefan Metzmacher
a41efe6802 s4:auth/credentials: pass 'self_service' to cli_credentials_set_impersonate_principal()
This also adds a cli_credentials_get_self_service() helper function.

In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.

metze
2011-05-18 07:46:39 +02:00
Stefan Metzmacher
c6836c8ede s4:gensec_gssapi: avoid delegation if s4u2self/proxy is used
metze
2011-05-18 07:46:38 +02:00
Andrew Bartlett
ea0ac9cdfc s4-auth Rename auth -> auth4 to avoid conflict with s3 auth 2011-05-08 10:56:26 +02:00
Andrew Tridgell
5c3e985fb5 s4-auth: remove unused prototype 2011-05-08 10:56:26 +02:00
Andrew Tridgell
323c744571 s4-auth: removed the password combinations code in auth_unix
this code never did anything due to a typo, and was untested. We
should not be inluding a password cracker in Samba anyway.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu May  5 07:00:14 CEST 2011 on sn-devel-104
2011-05-05 07:00:14 +02:00
Jeremy Allison
5c53d63348 sasl_secret_t ends in a char [1] size. This means the extra character is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2. 2011-05-04 12:12:14 -07:00
Andrew Bartlett
2742ec0e34 Remove strlower_m() and strupper_m() from source4 and common code.
This function is problematic because a string may expand in size when
changed into upper or lower case.  This will then push characters off
the end of the string in the s3 implementation, or panic in the former
s4 implementation.

Andrew Bartlett
2011-05-03 07:37:07 +02:00
Andrew Bartlett
cdd802af83 s4-messaging Rename messaging -> imessaging
This avoid symbol and structure conflicts between Samba3 and Samba4,
and chooses a less generic name.

Andrew Bartlett
2011-05-03 07:37:07 +02:00
Andrew Bartlett
dbbc6e9dda s4-param Remove config_path() -> lpcfg_config_path()
This is consistent with lock_path()

Andrew Bartlett
2011-04-29 16:38:14 +10:00
Andrew Bartlett
722ec8b347 s4-gensec: Use new common 'obtain the PAC' functions.
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
2011-04-27 05:08:10 +02:00
Andrew Bartlett
e04bab4a19 libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/auth
This will allow the GSSAPI PAC fetch code to use it.

Andrew Bartlett
2011-04-27 11:21:37 +10:00
Andrew Bartlett
f28f5db15a libcli/auth Move PAC parsing and verification in common.
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.

Andrew Bartlett
2011-04-20 04:31:07 +02:00
Andrew Bartlett
bbeba18b1c s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3
The s3 function doesn't use the keytab_container concept.

Andrew Bartlett
2011-04-14 16:38:27 +10:00
Andrew Bartlett
4ba1375526 libcli/auth Move krb5 wrapper functions from s3 into common
This requires a small rework of the build system to ensure that the
correct #define statements are made in both the s3 and top level
builds.  We now define the various HAVE_ macros in config.h at all
times, using heimdal_build/wscript_configure when that is in use.

Andrew Bartlett
2011-04-14 16:38:26 +10:00
Andrew Tridgell
a8da13cd5c lib: make asn1_util a private library
this prevents symbol duplication of the asn1 symbols in the service
and ntvfs subsystems

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-06 08:12:19 +02:00
Andrew Bartlett
663dc94e63 auth: Move auth_session_info into IDL
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.

As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.

Andrew Bartlett
2011-04-05 23:46:04 +02:00
Andrew Bartlett
f261266c9d s4-auth: Always talloc_zero() the struct auth_session_info 2011-04-05 23:46:04 +02:00
Andrew Tridgell
db0316832a s4-krb5: be a bit less verbose about krb5 packets
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-04 10:30:30 +10:00
Jeremy Allison
52602e4f5a Fix inspired by work done by David Disseldorp for bug #8040 - smbclient segfaults when a Cyrillic netbios name or workgroup is configured.
Change msrpc_gen to return NTSTATUS and ensure everywhere this is
used it is correctly checked to return that status.

Jeremy.
2011-03-28 23:12:07 +02:00
Matthias Dieter Wallnöfer
3940777a14 s4:python bindings - handle NULL returns from "loadparm_init_global"
Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Mar 22 19:52:57 CET 2011 on sn-devel-104
2011-03-22 19:52:57 +01:00
Matthias Dieter Wallnöfer
bd25bc133a s4:auth/system_session.c - check for OOM
Reviewed-by: Jelmer
2011-03-22 19:04:41 +01:00
Jelmer Vernooij
7e039c7dda source4/auth: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
557f830c4f source4/auth/ntlm: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
8823aeaf24 source4/auth/gensec: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Simo Sorce
a57c2b02f1 Fix public header not to include private (not installed) ones.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 17:01:20 +01:00
Günther Deschner
dc35442fb1 s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
Guenther
2011-03-04 01:18:42 +01:00
Jelmer Vernooij
59a077d8f5 Fix some types
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28 23:30:06 +01:00
Jelmer Vernooij
31d09b13d3 tdb: Use <tdb.h> to include tdb so system headers are found when building against system tdb. 2011-02-28 21:11:21 +01:00
Andrew Tridgell
74947964d9 build: moved spnego_parse.c into a common subsystem 2011-02-24 15:08:50 +11:00
Andrew Tridgell
8dbe665a0c build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Tridgell
d37a55548b build: moved libcli/auth/ntlmssp*.c into a common libcliauth.so library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Bartlett
e3821f2c40 s4-auth Move libcli/security/session.c to the top level
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.

Andrew Bartlett
2011-02-22 16:20:11 +11:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Günther Deschner
3722f65359 librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).
Simo, please check.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-14 18:54:38 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Tridgell
e26b1a6968 s4-krb5: authkrb5 should depend on ldb
this fixes the include path to add ldb

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Bartlett
d66150c14d libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
7e76367e59 s4-auth Fix setting of bad_password_count in auth_convert_user_info_dc_sambaseinfo()
Discovered during the convertion to auth_user_info.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
f1c0e9532d s4-auth Add auth.idl to encode auth subsystem structures in IDL
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Günther Deschner
34722c72f6 pam: share pam errors in a common location.
Guenther
2011-02-08 14:05:36 +01:00
Andrew Bartlett
7faa3be453 s4-python Ensure we add the Samba python path first.
This exact form of the construction is important, and we match on it
in the installation scripts.

Andrew Bartlett
2011-02-02 15:21:12 +11:00
Matthias Dieter Wallnöfer
7b9ead17f1 s4:auth/pyauth.c - temporarily add compatibility code for Python 2.4
This patch has been commited by request of Jelmer.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Jan 30 19:07:57 CET 2011 on sn-devel-104
2011-01-30 19:07:57 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00