1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1769 Commits

Author SHA1 Message Date
Stefan Metzmacher
01f246e873 auth/gensec: move spnego.c to the toplevel
metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
d88af2fe24 auth/gensec: common helper functions should be in gensec_util.c
This makes the dependencies easier to handle.

metze
2012-01-13 04:58:41 +01:00
Stefan Metzmacher
3ad7ca59b3 s4:auth/gensec: inline packet_full_request_u32()
This removes the dependency to s4 specific code.

metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
36829cff8f s4:auth/gensec: fix compiler warnings in spnego.c
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
891318ee4c s4:auth/gensec/spnego: add support for fragmented spnego messages
metze
2012-01-12 13:15:08 +01:00
Stefan Metzmacher
b3f8f7e8a3 s4:pygensec: add set_max_update_size() and max_update_size() functions
metze
2012-01-12 13:15:08 +01:00
Andrew Bartlett
fc2c76f921 s4:auth: Make sure to check the optional auth_context hooks before using them
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 11 10:49:13 CET 2012 on sn-devel-104
2012-01-11 10:49:13 +01:00
Andrew Bartlett
98ba33b258 gensec: Rename want_flags and got_flags in gensec_gssapi
This make it clearer what type of flags these are.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:11:22 +01:00
Andrew Bartlett
226c3ef7a6 gensec: make gensec_gssapi.h common
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:10:02 +01:00
Andrew Bartlett
f5a117172e gensec: move gensec_util.c to the top level
To do this some defines need to move to common_auth.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:02:41 +01:00
Andrew Bartlett
14c8a13d3e auth: make auth4_context common to provide access to generate_session_info_pac()
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:59:34 +01:00
Andrew Bartlett
cfe68f2d5f krb5: Require krb5_set_real_time is available to build with krb5 2012-01-10 21:50:07 +01:00
Günther Deschner
88258c3b93 s4-kerberos: remove some unused prototypes.
These are defined in the krb5 abstraction headers elsewhere.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Jan  9 14:32:08 CET 2012 on sn-devel-104
2012-01-09 14:32:08 +01:00
Andrew Bartlett
60c66118b3 ntlmssp: merge initial packet implementations
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06 13:18:40 +01:00
Stefan Metzmacher
1d4cc2a64f s4:pygensec: add session_key() method
metze
2012-01-04 20:55:04 +01:00
Andrew Bartlett
e3f4a6692c s4-gensec: Rename memory contexts in gensec_util for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:34:28 +11:00
Andrew Bartlett
5316e86f5c s4-gensec: Rename memory contexts in gensec_krb5 for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:33:27 +11:00
Andrew Bartlett
a085446d0c s4-gensec: Rename memory contexts in gensec_gssapi for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:31:36 +11:00
Andrew Bartlett
06bbb8a6fb s4-auth: Rename memory contexts for greater clarity
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba.

Thankyou Simo for the suggestion.

Andrew Bartlett
2011-12-29 22:30:07 +11:00
Andrew Bartlett
c2d6509c0b s4-gensec remove auth_session dep from gensec_gssapi.c
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
2011-12-29 05:37:11 +01:00
Andrew Bartlett
3f5d30c8cb s4-gensec Remove fallback for simple privileges
This makes the dependencies simpler, as this code path is no longer
required.  (That is, it makes no sense to have an NTLM login without
an auth context, and the gensec_gssapi and gensec_krb5 modules call
the PAC blob function below instead).

Andrew Bartlett
2011-12-29 14:01:56 +11:00
Andrew Bartlett
fe693e9148 s4-torture: Demonstrate handling of the PAC in a custom auth_context
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.

Andrew Bartlett
2011-12-29 14:01:55 +11:00
Andrew Bartlett
2ee67e37c2 s4-pyauth: Make sure event context allows nesting 2011-12-29 14:01:55 +11:00
Andrew Bartlett
149f8f16be s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.

This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29 01:10:58 +01:00
Andrew Bartlett
fc226f81c6 s4-gensec: fix cyrus sasl module after update() protype change 2011-12-29 09:36:24 +11:00
Andrew Bartlett
5815a1b777 s4-auth Remove unused auth_context_create_from_ldb() 2011-12-28 22:39:20 +11:00
Andrew Bartlett
f7a866a17c s4-gensec: Allow a PAC to be obtained from any GSS mech
This may allow Luke Howard's moonshot to work with a little less effort
at some point in the future.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
9a085b0b80 auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
cfb9a9d650 s4-ntlmssp Do not allow LM key without a LM password 2011-12-28 22:39:19 +11:00
Andrew Bartlett
0344e7278b auth: Allow a NULL principal to be obtained from the credentials
This is important when trying to let GSSAPI search the keytab.

Andrew Bartlett
2011-12-07 10:43:52 +11:00
Jelmer Vernooij
05bc4de083 Revert making public of the samba-module library.
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.

Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec  3 08:36:33 CET 2011 on sn-devel-104
2011-12-03 08:36:30 +01:00
Stefan Metzmacher
de553b52f2 s4:gensec/spnego: only try the mechs that match the client given ones
Windows-Members of NT4/Samba3 domains, send

MechTypes:
1.3.6.1.4.1.311.2.2.10 [NTLMSSP]
1.2.840.48018.1.2.2    [krb5 broken]
1.2.840.113554.1.2.2   [krb5]

MechToken for NTLMSSP.

This patch makes sure we start NTLMSSP with the given MechToken,
instead of trying to pass the NTLMSSP MechToken to the krb5 backend
first. As that would fail the authentication with an error
instead of trying fallbacks.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104
2011-11-30 17:03:29 +01:00
Andrew Bartlett
2bff209128 s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.

Based on a request by Gémes Géza <geza@kzsdabas.hu>

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-11-29 09:20:54 +01:00
Andrew Bartlett
f93ec5a027 s4-auth log details about any token we fail to convert to a unix token
Now that entries are being added into the idmap DB from Samba3, and
may be UID or GID but not BOTH, failures are more likely.

Andrew Bartlett
2011-11-18 14:38:28 +11:00
Andrew Bartlett
0ce09fcf7a lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1b7cc4ac7c lib/util Rename samba_init_module_fn -> samba_module_init_fn
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
87354c9a6d lib/util Split samba-modules library into public and private parts
This will allow OpenChange to get at the symbols it needs, without
exposing any more of this as a public API than we must.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
ce0ccc2a2e lib/util Rename run_init_functions -> samba_init_module_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1935b7b6c2 lib/util Rename init_module_fn to samba_init_module_fn
This prepares for making the samba_module.h header public again, for OpenChange.

I am keen to avoid too much API namespace pollution if we can.
2011-10-28 13:10:28 +02:00
Simo Sorce
8870daeb8d idl: Improve MS-PAC IDL
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24 19:19:28 +02:00
Stefan Metzmacher
9b407ee6d5 s4:auth/unix_token: match s3 behavior and add uid/gid to the groups array
If mappings use ID_TYPE_BOTH.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Oct 18 10:39:54 CEST 2011 on sn-devel-104
2011-10-18 10:39:54 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
f88b686167 gensec: move event-using code to gensec_update() hooks out of gensec_start*()
This ensures that only gensec_update() will require an event context argument
when the API is refactored.

Andrew Bartlett
2011-10-18 13:13:33 +11:00
Andrew Bartlett
09c5acdec8 s4-auth: match the new s3 gensec client and always negotiate SIGN with SEAL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
968b3674b1 ntlmssp: Prepare gensec_ntlmssp_start() for broader use
This moves the allocation of the ntlmssp pointer back to the callers.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
5603dab647 libcli/auth: Provide a struct loadparm_context to schannel calls
This will allow us to pass this down to the tdb_wrap layer.

Andrew Bartlett
2011-10-13 14:06:07 +02:00
Andrew Bartlett
fe02752ed6 auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
561d834123 auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level.  This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
b21b012756 lib/param move source4 param code to the top level
This is done so that the lpcfg_ functions are available across the whole
build, either with the struct loadparm_context loaded from an smb.conf directly
or as a wrapper around the source3 param code.

This is not the final, merged loadparm, but simply one step to make
it easier to solve other problems while we make our slow progress
on this difficult problem.

Andrew Bartlett
2011-10-11 13:41:34 +11:00
Andrew Bartlett
7d33ec3dfe lib/util: consolidate module loading into common code
This creates a samba-modules private libary that handles the details.

Andrew Bartlett
2011-10-06 07:18:07 +02:00
Andrew Tridgell
63319c169f s4-auth: fixed formatting of some DEBUG() lines
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Oct  5 09:45:15 CEST 2011 on sn-devel-104
2011-10-05 09:45:15 +02:00
Andrew Tridgell
71f3a25ff7 s4-auth: rework map_user_info() to use cracknames
to properly support multi-domain forests we need to determine if an
incoming username is part of a known forest domain or not. To do this
for all possible SPN forms, we need to use CrackNames.

This changes map_user_info() to use CrackNames if a SAM context is
available, and asks the CrackNames services to parse the incoming
username and domain into a NT4 form, which can then be used in the
SAM.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Andrew Tridgell
0c944d07dc s4-sam: don't look in GC NCs for user accounts
We need to exclude GC partial replica naming contexts from SAM lookups

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Matthias Dieter Wallnöfer
50310ad75d s4:auth - remove unused variables
Reviewed-by: Jelmer
2011-09-19 16:31:07 +02:00
Andrew Bartlett
21c2e8b378 build: make LIBWBCLIENT_OLD and auth_unix_token libraries
This assists with avoiding duplicate symbols.

Andrew Bartlett
2011-09-08 19:33:13 +10:00
Stefan Metzmacher
9d5711e3de s4:auth/gensec: gensec.h was moved to gensec_runtime
metze
2011-09-06 15:22:19 +02:00
Jelmer Vernooij
a0eac61ace gensec: Install header file. 2011-08-21 03:22:05 +02:00
Jelmer Vernooij
7ebdd3f683 samba-credentials: Add pkg-config file. 2011-08-21 03:22:04 +02:00
Jelmer Vernooij
292fe74971 credentials: Rename library to samba-credentials to avoid name clashes.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-18 22:16:38 +02:00
Jelmer Vernooij
88ecf1a9b8 Use public pytalloc header file.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
2011-08-14 17:18:46 +02:00
Simo Sorce
c84caabf8c s4:misc: remove last usage of legacy event_ fn names
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
2011-08-14 00:38:13 +02:00
Jelmer Vernooij
f8ec7f6cb1 pytalloc: Use consistent prefix for functions, add ABI file. 2011-08-10 15:36:21 +02:00
Stefan Metzmacher
100565b8cc s4:pycredentials: PyArg_ParseTuple("i") requires an 'int' argument.
If we pass variable references we don't get implicit casting!

metze
2011-08-08 16:45:27 +02:00
Andrew Bartlett
db06b61a1d build: Make credentials a public library for OpenChange to use
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Aug  8 14:53:53 CEST 2011 on sn-devel-104
2011-08-08 14:53:53 +02:00
Andrew Bartlett
af5f494bd2 build: provide tevent-util as a public library
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.

Andrew Bartlett
2011-08-08 13:34:06 +02:00
Jelmer Vernooij
fdff105854 pyldb: Consistently use pyldb_ prefix. 2011-08-07 17:08:56 +02:00
Andrew Bartlett
fec25c3a62 ntlmssp: Add ntlmssp_blob_matches_magic()
This avoids having the same check in 3 different parts of the code

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug  3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03 12:45:04 +02:00
Andrew Bartlett
643d05826c gensec: Don't keep a second copy of the auth4_context in gensec_ntlmssp_state
The auth4_context is already in the gensec_security structure, which is
available by de-reference here anyway.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
d69843c908 s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmssp
This allows the current behaviour of the NTLMSSP code to be unchanged
while adding a way to hook in an alternate implementation via an auth
module.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
35b309fa0c gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.

Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.

Andrew Bartlett
2011-08-03 18:48:02 +10:00
Andrew Bartlett
d3fe48ba48 gensec: Remove mem_ctx from calls that do not return memory
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
16b2118b43 gensec: split GENSEC into mechanism-dependent and runtime functions
The startup and runtime functions that have no dependencies are moved
into the top level.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andrew Bartlett
2663586c8b s4-auth Fill in the remainder of the unix info in auth_session_info
Signed-off-by: Andrew Tridgell <tridge@samba.org>

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
2011-07-29 05:33:03 +02:00
Andrew Bartlett
f5963aad18 s4-auth Move conversion of security_token to unix_token to auth
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Andrew Bartlett
e84b8a72bd gensec: Add a way to request a unix token from GENSEC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-29 04:24:07 +02:00
Amitay Isaacs
2625199d80 s4auth: Fix the object name for Py_Security
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Amitay Isaacs
6a12f7d66e s4auth: Fix the object names for PyCredentials and PyCredentialCacheContainer
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Amitay Isaacs
b9e0587960 s4auth: Remove duplicate assignment of structure variable
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-28 15:20:52 +10:00
Stefan Metzmacher
188b28b9d9 s4:auth/kerberos: activate windows related krb5 flags
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
2011-07-25 09:45:01 +02:00
Andrew Bartlett
52b28ec813 auth: Split out make_user_info_SamBaseInfo and add authenticated argument
This will allow the source3 auth code to call this without needing to
double-parse the SIDs

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00
Stefan Metzmacher
e0541ed98d s4:auth/credentials: with the build after heimdal import
metze
2011-07-15 11:15:05 +02:00
Stefan Metzmacher
ad45072aaf s4:kdc: implement samba_kdc_check_s4u2proxy()
metze
2011-06-24 19:06:44 +02:00
Stefan Metzmacher
033f3376a8 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.

metze
2011-06-22 17:05:14 +02:00
Stefan Metzmacher
b9e095fdfb s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.

metze
2011-06-22 17:02:49 +02:00
Stefan Metzmacher
ede3046b8b s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22 09:10:55 +02:00
Stefan Metzmacher
e5378e600e s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()
This will make the following changes easier to review.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
b98428e630 s4:auth/kerberos: reformat kerberos_kinit_password_cc()
In order to make the following changes easier to review.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
9c56303f5a s4:auth/kerberos: don't mix s4u2self creds with machine account creds
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.

We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.

metze
2011-06-22 08:00:24 +02:00
Stefan Metzmacher
b3d4962087 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()
This will make the following changes easier to review.

metze
2011-06-22 08:00:23 +02:00
Stefan Metzmacher
7cf38425b2 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()
metze
2011-06-22 08:00:23 +02:00
Brad Hards
c017cbfaa4 s4/auth: Trivial spelling fixes.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-21 15:54:32 +10:00
Andrew Bartlett
a1f04e8abc libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbol
The two error tables need to be combined, but for now seperate the names.

(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
2011-06-20 08:12:03 +02:00
Andrew Bartlett
018f4a5889 libcli/util Bring samba4 unix -> nt_status code in common.
Due to library link orders, this is already the function that is being
used.  However we still need to sort out the duplicate symbol issues,
probably by renaming things.

Andrew Bartlett
2011-06-20 14:36:06 +10:00
Matthieu Patou
245b277749 s4: fix wrong index usage PRIMARY_USER_SID_INDEX when it should have been PRIMARY_GROUP_SID_INDEX
The system account was instanciated with wrong user an group SIDs, group
sid resulted being just the domain SID.
Bug seems to date from fbe6d155bf.

Andrew (B.) please check.
2011-06-19 23:21:08 +02:00
Andrew Tridgell
e080ae0faa s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST'
this prevents spurious error messages on client commands when when we
will fallback to NTLM authentication

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-17 15:24:23 +10:00
Matthias Dieter Wallnöfer
cda2fa21eb s4:auth/ntlm/auth_unix.c - remove unused variables
Relicts from commit 323c744571

Reviewed-by: Jelmer
2011-06-11 16:25:57 +02:00
Matthias Dieter Wallnöfer
27f1779814 s4:auth/ntlm/auth.c - fix incompatible pointer type warning
Reviewed-by: Tridge
2011-06-09 09:35:32 +02:00
Andrew Bartlett
c79021382b s4-gensec bring GSS_S_CONTEXT_EXPIRED into it's own error handler
This allows us to print much more debugging in this critical situation.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jun  8 04:19:58 CEST 2011 on sn-devel-104
2011-06-08 04:19:58 +02:00
Andrew Bartlett
9cf686f56f s4-credentials Don't use expired Kerberos or GSSAPI credentials
In a long-lived credentials cache situation, we may need to refetch
the ticket after (say) 10 hours.  This code should help that happen,
by checking the lifetime before returning any credentials cache or
GSSAPI credentials.

Andrew Bartlett
2011-06-08 03:08:22 +02:00
Andrew Bartlett
8dbab93f28 s4-credentials Allow use of file-based credentials caches for debugging.
This means that we will leave a slew of file based credentials caches
in /tmp, which should give some clues to the administrator or
developer via klist as to what has gone wrong.

Andrew Bartlett
2011-06-08 03:08:22 +02:00
Andrew Bartlett
5197331fe5 s4-auth Move default auth methods back into auth.c
This changes auth_methods_from_lp to no longer use the parametric
options, and to cope with ROLE_DOMAIN_BDC and ROLE_DOMAIN_PDC.  This
will assist in calling the source4 auth subsystem with a source3
derived lp_ctx.

Andrew Bartlett
2011-06-07 09:11:01 +10:00
Andrew Bartlett
907cdb5de7 s4-modules Remove lp_ctx from init functions that no longer need it
Now that we don't allow the smb.conf to change the modules dir, many
functions that simply load modules or initialise a subsytem that may
load modules no longer need an lp_ctx.

Andrew Bartlett
2011-06-06 17:37:51 +10:00
Matthias Dieter Wallnöfer
f44808fa11 s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain"
Signed-off-by: Metze
2011-05-21 16:21:12 +02:00
Stefan Metzmacher
053ef0f605 s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROS
Otherwise we would not impersonate the desired principal.
This still doesn't work for plaintext auth, but should
avoid ntlmssp.

metze
2011-05-18 07:46:41 +02:00
Stefan Metzmacher
a41efe6802 s4:auth/credentials: pass 'self_service' to cli_credentials_set_impersonate_principal()
This also adds a cli_credentials_get_self_service() helper function.

In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.

metze
2011-05-18 07:46:39 +02:00
Stefan Metzmacher
c6836c8ede s4:gensec_gssapi: avoid delegation if s4u2self/proxy is used
metze
2011-05-18 07:46:38 +02:00
Andrew Bartlett
ea0ac9cdfc s4-auth Rename auth -> auth4 to avoid conflict with s3 auth 2011-05-08 10:56:26 +02:00
Andrew Tridgell
5c3e985fb5 s4-auth: remove unused prototype 2011-05-08 10:56:26 +02:00
Andrew Tridgell
323c744571 s4-auth: removed the password combinations code in auth_unix
this code never did anything due to a typo, and was untested. We
should not be inluding a password cracker in Samba anyway.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu May  5 07:00:14 CEST 2011 on sn-devel-104
2011-05-05 07:00:14 +02:00
Jeremy Allison
5c53d63348 sasl_secret_t ends in a char [1] size. This means the extra character is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2. 2011-05-04 12:12:14 -07:00
Andrew Bartlett
2742ec0e34 Remove strlower_m() and strupper_m() from source4 and common code.
This function is problematic because a string may expand in size when
changed into upper or lower case.  This will then push characters off
the end of the string in the s3 implementation, or panic in the former
s4 implementation.

Andrew Bartlett
2011-05-03 07:37:07 +02:00
Andrew Bartlett
cdd802af83 s4-messaging Rename messaging -> imessaging
This avoid symbol and structure conflicts between Samba3 and Samba4,
and chooses a less generic name.

Andrew Bartlett
2011-05-03 07:37:07 +02:00
Andrew Bartlett
dbbc6e9dda s4-param Remove config_path() -> lpcfg_config_path()
This is consistent with lock_path()

Andrew Bartlett
2011-04-29 16:38:14 +10:00
Andrew Bartlett
722ec8b347 s4-gensec: Use new common 'obtain the PAC' functions.
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 05:08:10 CEST 2011 on sn-devel-104
2011-04-27 05:08:10 +02:00
Andrew Bartlett
e04bab4a19 libcli/auth Move Samba4's gssapi_error_string from GENSEC to libcli/auth
This will allow the GSSAPI PAC fetch code to use it.

Andrew Bartlett
2011-04-27 11:21:37 +10:00
Andrew Bartlett
f28f5db15a libcli/auth Move PAC parsing and verification in common.
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.

Andrew Bartlett
2011-04-20 04:31:07 +02:00
Andrew Bartlett
bbeba18b1c s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3
The s3 function doesn't use the keytab_container concept.

Andrew Bartlett
2011-04-14 16:38:27 +10:00
Andrew Bartlett
4ba1375526 libcli/auth Move krb5 wrapper functions from s3 into common
This requires a small rework of the build system to ensure that the
correct #define statements are made in both the s3 and top level
builds.  We now define the various HAVE_ macros in config.h at all
times, using heimdal_build/wscript_configure when that is in use.

Andrew Bartlett
2011-04-14 16:38:26 +10:00
Andrew Tridgell
a8da13cd5c lib: make asn1_util a private library
this prevents symbol duplication of the asn1 symbols in the service
and ntvfs subsystems

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-06 08:12:19 +02:00
Andrew Bartlett
663dc94e63 auth: Move auth_session_info into IDL
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.

As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.

Andrew Bartlett
2011-04-05 23:46:04 +02:00
Andrew Bartlett
f261266c9d s4-auth: Always talloc_zero() the struct auth_session_info 2011-04-05 23:46:04 +02:00
Andrew Tridgell
db0316832a s4-krb5: be a bit less verbose about krb5 packets
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-04 10:30:30 +10:00
Jeremy Allison
52602e4f5a Fix inspired by work done by David Disseldorp for bug #8040 - smbclient segfaults when a Cyrillic netbios name or workgroup is configured.
Change msrpc_gen to return NTSTATUS and ensure everywhere this is
used it is correctly checked to return that status.

Jeremy.
2011-03-28 23:12:07 +02:00
Matthias Dieter Wallnöfer
3940777a14 s4:python bindings - handle NULL returns from "loadparm_init_global"
Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Mar 22 19:52:57 CET 2011 on sn-devel-104
2011-03-22 19:52:57 +01:00
Matthias Dieter Wallnöfer
bd25bc133a s4:auth/system_session.c - check for OOM
Reviewed-by: Jelmer
2011-03-22 19:04:41 +01:00
Jelmer Vernooij
7e039c7dda source4/auth: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
557f830c4f source4/auth/ntlm: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
8823aeaf24 source4/auth/gensec: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Simo Sorce
a57c2b02f1 Fix public header not to include private (not installed) ones.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 17:01:20 +01:00
Günther Deschner
dc35442fb1 s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
Guenther
2011-03-04 01:18:42 +01:00
Jelmer Vernooij
59a077d8f5 Fix some types
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28 23:30:06 +01:00
Jelmer Vernooij
31d09b13d3 tdb: Use <tdb.h> to include tdb so system headers are found when building against system tdb. 2011-02-28 21:11:21 +01:00
Andrew Tridgell
74947964d9 build: moved spnego_parse.c into a common subsystem 2011-02-24 15:08:50 +11:00
Andrew Tridgell
8dbe665a0c build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Tridgell
d37a55548b build: moved libcli/auth/ntlmssp*.c into a common libcliauth.so library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Bartlett
e3821f2c40 s4-auth Move libcli/security/session.c to the top level
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.

Andrew Bartlett
2011-02-22 16:20:11 +11:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Günther Deschner
3722f65359 librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).
Simo, please check.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-14 18:54:38 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Tridgell
e26b1a6968 s4-krb5: authkrb5 should depend on ldb
this fixes the include path to add ldb

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Bartlett
d66150c14d libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
7e76367e59 s4-auth Fix setting of bad_password_count in auth_convert_user_info_dc_sambaseinfo()
Discovered during the convertion to auth_user_info.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
f1c0e9532d s4-auth Add auth.idl to encode auth subsystem structures in IDL
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Günther Deschner
34722c72f6 pam: share pam errors in a common location.
Guenther
2011-02-08 14:05:36 +01:00
Andrew Bartlett
7faa3be453 s4-python Ensure we add the Samba python path first.
This exact form of the construction is important, and we match on it
in the installation scripts.

Andrew Bartlett
2011-02-02 15:21:12 +11:00
Matthias Dieter Wallnöfer
7b9ead17f1 s4:auth/pyauth.c - temporarily add compatibility code for Python 2.4
This patch has been commited by request of Jelmer.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Jan 30 19:07:57 CET 2011 on sn-devel-104
2011-01-30 19:07:57 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
cce5231b4d s4-gensec Add prototype for gensec_ntlmssp_init()
Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
084b4e235e libcli/auth move ntlmssp_wrap() and ntlmssp_unwrap() into common code.
The idea here is to allow the source3/libads/sasl.c code to call this
instead of the lower level ntlmssp_* functions.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
6d93af433e s4-pyauth Fix AuthContext wrapper 2011-01-19 12:29:05 +01:00
Andrew Bartlett
a7e238d322 s4-auth Allow NULL methods to be specified to auth_context_create_methods()
This allows us to init an auth context that isn't going to do any NTLM
authentication, but is used by other subsystems.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Bartlett
902e18329f s4-gensec Remove special case 'for SASL' that is not required any more.
I've examined the code paths involved, and it appears an alternative
fix has been made in the ldap_server/ldap_bind.c code, and there is no
code path that uses this behaviour.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Tridgell
bc0230be1d pygensec: remove special case handling for None for buffers
always returning a buffer makes life easier for callers

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-19 01:35:22 +01:00
Andrew Bartlett
a1e1f02efe s4-gensec Extend python bindings for GENSEC and the associated test
This now tests a real GENSEC exchange, including wrap and unwrap,
using GSSAPI.  Therefore, it now needs to access a KDC.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 18 11:41:26 CET 2011 on sn-devel-104
2011-01-18 11:41:26 +01:00
Andrew Bartlett
24a4b9a738 s4-auth Extend python bindings to allow ldb and message to be specified
This will allow for some more tokenGroups tests in future.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
08051ae29e s4-pygensec Fix indentation of py_gensec_start_mech_by_name() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
147f075c47 s4-pygensec Add bindings for server_start() and update() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
969c1b58eb s4-pyauth Add bindings for auth_context_create() as AuthContext() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
017fbcdd10 s4-pyauth Use py_talloc_get_type() for greater talloc binding safety
This does a talloc check of the returned pointer before casting it.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
9b643c8c83 s4-gensec Don't steal the auth_context, reference it.
We don't want to steal this pointer away from the caller if it's been
set up from python.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Matthias Dieter Wallnöfer
32e7d7654f s4:auth/ntlm/auth_sam.c - fix call to "get_server_info_principal"
This should obviously point to the wrapper not the call itself.

Found out by Tru64 host build warning.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 18:05:59 CET 2011 on sn-devel-104
2011-01-15 18:05:59 +01:00
Andrew Tridgell
8df6504ffe s4-auth: fixed status return
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14 16:39:33 +11:00
Andrew Bartlett
edd3b033b8 s4-auth Add get and set methods for auth_session_info python wrapper
This allows the session key, security_token and credentials to be
manipulated from python.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2011-01-14 16:39:32 +11:00
Andrew Bartlett
ece6eae4d8 s4-auth Add function to obtain any user's session_info from a given LDB
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.

(this meant moving some parts out of the auth_sam code into the
containing library)

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Andrew Bartlett
c82269cf86 s4-auth use new dsdb_expand_nested_groups()
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Stefan Metzmacher
cbf6c88aa8 s4:gensec/schannel: use netsec_outgoing_sig_size() to get the signature size
metze
2011-01-03 16:44:28 +01:00
Jelmer Vernooij
3b4fd3573e heimdal_build: Add missing dependencies when building with system heimdal.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Jan  1 04:46:35 CET 2011 on sn-devel-104
2011-01-01 04:46:35 +01:00
Matthias Dieter Wallnöfer
71d0fd88d2 s4:auth/session.h - use a forward declaration for type "struct ldb_context"
And remove the now obsolete one for "struct tevent_context"

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Dec 21 11:17:34 CET 2010 on sn-devel-104
2010-12-21 11:17:34 +01:00
Andrew Bartlett
446f8a163c s4-auth Ensure that we always copy across domain groups
Even if we can't calculate the local groups (because we don't have a
local SAM to do it with) we still need to include the domain groups in
the session_info token.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 05:56:22 +01:00
Andrew Bartlett
6f7423c7f1 s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
1961d7a411 s4-auth rework session_info handling not to require an auth context
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
94a59b781c s4-auth Remove event context from privilage database handling
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
becaa18a46 s4-auth Remove obsolete comment
The code that this referred to went away in September with
7dbfeb0dc0

Andrew Bartlett
2010-12-21 15:10:37 +11:00
Matthias Dieter Wallnöfer
89522ea5b1 s4:auth/gensec/spnego.c - remove unused variable "principal" 2010-12-21 15:10:37 +11:00
Stefan Metzmacher
f126cb9eea s4:gensec/spnego: only look at the optimistic token if we support the first mech
As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.

If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
2010-12-14 16:50:49 +01:00
Jelmer Vernooij
35fbc7bbda s4-smbtorture: Make test names lowercase and dot-separated.
This is consistent with the test names used by selftest, should
make the names less confusing and easier to integrate with other tools.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
2010-12-11 04:16:13 +01:00
Andrew Bartlett
154b431093 s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec  9 08:50:28 CET 2010 on sn-devel-104
2010-12-09 08:50:27 +01:00
Andrew Tridgell
735c1cd2da s4-pkgconfig: add @LIB_RPATH@ to our link flags
this is only set when rpath is used on install. It ensures that
applications that link against Samba libraries get the rpath right

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec  8 12:46:00 CET 2010 on sn-devel-104
2010-12-08 12:46:00 +01:00
Andrew Bartlett
94f4929e04 s4-spnego use "not_defined_in_RFC4178@please_ignore" if no principal specified
We need to make this the default, but for now just send it if we have
not been given a target principal.

Andrew Bartlett
2010-12-08 08:55:04 +01:00
Andrew Bartlett
a21cb5a0a1 libcli/auth bring ADS_IGNORE_PRINCIPAL in common 2010-12-08 08:55:04 +01:00
Matthias Dieter Wallnöfer
f1db3c52de s4:auth/gensec/gensec_krb5.c - fix/reorder memory free operations
To prevent memory leaks
2010-12-04 16:40:25 +01:00
Matthias Dieter Wallnöfer
ee311beabe s4:auth/gensec/gensec_krb5.c - remove a pointless "nt_status" test
There is no operation which sets the "nt_status" before the "if".
2010-12-04 16:40:25 +01:00
Matthias Dieter Wallnöfer
3fb5ae600e s4:auth/kerberos/kerberos_pac.c - fix another memory leak regarding the KRB principal
In addition fix a counter type

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Dec  4 15:14:46 CET 2010 on sn-devel-104
2010-12-04 15:14:46 +01:00
Matthias Dieter Wallnöfer
f92055f298 s4:dsdb/common/util_samr.c and auth/sam.c - fix error message 2010-12-04 14:27:40 +01:00
Matthias Dieter Wallnöfer
e2a89d6ba7 s4:auth/sam.c - when printing out a string buffer we don't strictly need the width
The precision (maximum numbers of characters) should be enough.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec  3 10:26:39 CET 2010 on sn-devel-104
2010-12-03 10:26:39 +01:00
Matthias Dieter Wallnöfer
4ae9aec17c s4:auth/sam.c - the check for the SAMDB needs to be on the top of the call
Otherwise it's really useless.
2010-12-03 09:19:42 +01:00
Matthias Dieter Wallnöfer
5e1c9b562c s4:auth/sam.c - fix the free of memory contexts
"tmp_ctx" needs always to be freed ("res" is freed implicitly)
2010-12-03 09:18:23 +01:00
Matthias Dieter Wallnöfer
07e18e8f7c s4:auth/sam.c - specify the SID ignore case better
As per suggestion by metze.
2010-12-03 09:17:01 +01:00
Matthias Dieter Wallnöfer
7a5e47bf4e s4:auth/sam.c-"authsam_expand_nested_groups" - don't fail if we've memberships on non-SAM objects
This can be expected (think at a membership of a "groupOfNames" group) and we
shouldn't blame about it.

This fixes a bug reported on the technical mailing list.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec  2 17:17:56 CET 2010 on sn-devel-104
2010-12-02 17:17:55 +01:00
Jelmer Vernooij
8428311ce5 pygensec: Fix initialization.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Wed Dec  1 02:33:06 CET 2010 on sn-devel-104
2010-12-01 02:33:06 +01:00
Jelmer Vernooij
f43ffed781 pyauth: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Jelmer Vernooij
fce73d7eff pygensec: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Jelmer Vernooij
00251d9e56 pycredentials: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Matthias Dieter Wallnöfer
bd4006fb9e s4:auth/gensec/gensec_tstream.c - quiet warnings on Solaris "cc" 2010-11-29 14:48:13 +01:00
Matthias Dieter Wallnöfer
7fb9087e64 s4:auth/ntlmssp/ntlmssp_server.c - remove unnecessary ";" 2010-11-29 14:48:12 +01:00
Matthias Dieter Wallnöfer
cc553eaf97 s4:auth/gensec/gensec_gssapi.c - always print error messages on the same talloc context 2010-11-29 11:33:04 +01:00
Kamen Mazdrashki
092e923e2b s4-tests/bind.py: Use samba.tests.connect_samdb() instead of directly using SamDB class
connect_samdb() functino will correctly handle things like:
- session_info param - it will create system_session() using supplied
  LoadParm parameter and thus avoiding creation of multiple LoadParm
  instances (LoadParm() will mask certain command line supplied options)
- host url will be prefixed with ldap:// automatically

Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Sun Nov 28 03:00:41 CET 2010 on sn-devel-104
2010-11-28 03:00:41 +01:00
Nadezhda Ivanova
f42802e22f s4-tests: Modified bind.py to use samba.tests.delete_force 2010-11-25 01:11:29 +02:00
Arnaud Faucher
2ac5cedb71 Avoid the use of PyAPI_DATA, which is for internal Python API's.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Nov 22 00:52:56 CET 2010 on sn-devel-104
2010-11-22 00:52:56 +01:00
Andrew Tridgell
5f655e99a1 s4-gensec: zero the gssapi_state
this fixes a use of the target_principal before initialisation

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-17 23:55:38 +11:00
Andrew Bartlett
2b7730d291 s4-gensec Indicate if GENSEC is in client or server mode in the debug 2010-11-15 23:17:05 +00:00
Jelmer Vernooij
e422c2a4a5 auth/ntlm: Use name consistent with other service names. 2010-11-15 03:14:23 +01:00
Andrew Bartlett
02d320394f auth/gensec Handle incorrect username or password in Kerberos client code
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 02:09:40 UTC 2010 on sn-devel-104
2010-11-15 02:09:39 +00:00
Andrew Tridgell
7cb0f95bf2 s4-auth: fixed infinite loop in krb5 auth
we were continually trying the first address returned, instead of
moving to the next address

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
2010-11-14 04:11:28 +00:00
Andrew Tridgell
6582d4739c s4-auth: fixed crash in krb5 auth
remote_addr was used after free
2010-11-14 13:53:29 +11:00
Andrew Tridgell
8e34df462c s4-test: we need to import testtools before subunit/python
subunit/python depends on testtools

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Nov 13 02:02:45 UTC 2010 on sn-devel-104
2010-11-13 02:02:45 +00:00
Anatoliy Atanasov
9cdb0b5cee s4/test: Expand BindTest
The test now binds with user@realm, domain\user, user dn, computer dn

Autobuild-User: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Autobuild-Date: Thu Nov 11 16:15:30 UTC 2010 on sn-devel-104
2010-11-11 16:15:30 +00:00
Andrew Bartlett
10c82d0619 s4-auth Supply more useful error messages on Kerberos failure
The practice of returning only NT_STATUS_INVALID_PARAMETER hasn't
helped our users to debug problems effectivly, and so we now return
more errors and try and give a more useful debug message when then
happen.

Andrew Bartlett
2010-11-08 18:15:23 +11:00
Brad Hards
cd4c3d6d7b s4-auth Fix typos in samba4 auth code 2010-11-08 18:15:23 +11:00
Jelmer Vernooij
4217734a51 credentials: Lowercase library name,
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Nov  7 01:48:44 UTC 2010 on sn-devel-104
2010-11-07 01:48:44 +00:00
Jelmer Vernooij
0878399bd5 samdb: Lowercase library name. 2010-11-07 01:52:13 +01:00
Andrew Bartlett
14f455ba99 s4-kerberos Mention the remote address we fail to contact the KDC on 2010-11-05 23:42:08 +11:00
Anatoliy Atanasov
211f6d5f55 s4/auth: Add logon_parameters to authenticate_username_pw
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.

Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov  5 06:32:43 UTC 2010 on sn-devel-104
2010-11-05 06:32:43 +00:00
Anatoliy Atanasov
d952f6c391 s4/test: Added test for simple bind with machine account
Samba4 returns error on simple bind, when we do it using openldap
simple_bind_s api.
2010-11-05 07:50:17 +02:00
Andrew Tridgell
003a36eb5e s4-auth: unconditionally set previous_ev
we need the caller to know when the previous_ev was NULL

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-04 20:35:43 +11:00
Philip M. White
cb9d048f90 s4:waf - fix the build on Gentoo platforms
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-11-03 08:22:54 +01:00
Andrew Tridgell
28c1e4d3eb s4-modules: get rid of the remaining static prototypes for modules
the waf build now generates the prototype declarations for us
2010-11-01 18:55:19 +11:00
Andrew Tridgell
97c0def79d s4-auth: added a dependency on com_err
this helps with the gentoo build. The problem is that without the
depenency, we don't add the cflags from the pkgconfig for com_err to
the build of auth/gensec. That really reflects a more general problem
with propogation of include dependencies, but this simple fix should
be enough for now.

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Oct 31 13:13:33 UTC 2010 on sn-devel-104
2010-10-31 13:13:33 +00:00
Jelmer Vernooij
3deece5591 s4: Remove the old perl/m4/make/mk-based build system.
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-31 02:01:44 +00:00
Andrew Tridgell
2ea41fdbe2 s4-cmdline: make cmdline-credentials a private library 2010-10-30 23:49:01 +11:00
Andrew Tridgell
045e3445a0 s4-auth: make KERBEROS subsystem into authkrb5 private library
this fixes some double linking. The name 'KERBEROS' was also a bit
confusing, as it sounded like a base kerberos library, when it is in
fact part of auth
2010-10-30 23:49:01 +11:00
Andrew Tridgell
7a26bb9f77 s4-credentials: make a private library from CREDENTIALS subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:49:01 +11:00
Andrew Bartlett
51dd83a50c auth/credentials Give a sensible behaviour for resetting the krb5 context
This extra code isn't used at the moment, but I noticed the old API
was rather supprising in it's behaviour, and might catch someone out
at some later time.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Oct 27 05:24:22 UTC 2010 on sn-devel-104
2010-10-27 05:24:22 +00:00
Jelmer Vernooij
a702c07e02 talloc: change pytalloc-util to be a public library. 2010-10-26 10:17:19 -07:00
Jelmer Vernooij
8cf61377aa waf: Remove lib prefix from libraries manually. 2010-10-26 10:17:17 -07:00
Jelmer Vernooij
d9cbcdd410 s4: Drop duplicate 'lib' prefix for private libraries. 2010-10-26 10:17:16 -07:00
Jelmer Vernooij
a57bd4e2d8 s4: Rename WBCLIENT to wbclient. 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
833480d3ad s4: Rename LIBSAMBA-* to libsamba-* 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
ca16d805bd s4: Rename LIBSECURITY{_SESSION,} to libsecurity{_session,} 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
2933fac7c7 s4: Rename NSS_WRAPPER to nss_wrapper.
Only link to nss_wrapper when it is enabled.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Oct 23 23:05:44 UTC 2010 on sn-devel-104
2010-10-23 23:05:43 +00:00
Jelmer Vernooij
9757a0c54c s4: Rename UID_WRAPPER to uid_wrapper.
Only link to uid_wrapper when it is enabled.
2010-10-23 22:24:06 +00:00
Jelmer Vernooij
cf26d8a958 s4: Rename LIBEVENTS to libevents. 2010-10-23 22:24:06 +00:00
Andrew Tridgell
3981399957 s4-waf: removed the XATTR and SASL aliases
these were hangovers from the old build system names

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-21 19:03:25 +11:00
Andrew Tridgell
e73739a338 s4-auth: make auth a private library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-21 19:03:24 +11:00
Andrew Bartlett
897583476c s4-auth Add DEBUG() for invalid DNs and errors expanding user groups.
Against the OpenLDAP backend, I currently get failures.  This makes it
possible to debug those failures.

Andrew Bartlett
2010-10-19 22:34:58 +11:00
Andrew Bartlett
73d6bb7447 s4-gensec Don't give more to sasl_encode() than it will permit
We need to ask the library how much data to pass in at any time.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 19 08:37:45 UTC 2010 on sn-devel-104
2010-10-19 08:37:45 +00:00
Andrew Bartlett
15a3077885 s4-gensec Don't upgrade all DIGEST-MD5 connections to seal
The issue here is that when props.max_ssf = UINT_MAX was always set,
as was the maxbufsize, and the connection would always be upgraded,
regardless of the callers wishes.

Andrew Bartlett
2010-10-19 18:57:06 +11:00
Matthias Dieter Wallnöfer
3ead246062 s4:"util_ldb" - remove some really unused dependancies 2010-10-18 19:35:11 +02:00
Andreas Schneider
d42ddd7b60 s4-gensec: Add dependency on com_err to GENSEC_KRB5. 2010-10-18 14:03:05 +02:00
Matthias Dieter Wallnöfer
a3f61dea40 Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c""
This reverts commit 8a2ce5c47c.

Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 13:37:16 +00:00
Matthias Dieter Wallnöfer
8a2ce5c47c s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c"
They're only in use by SAMDB code.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-17 09:40:13 +00:00
Matthias Dieter Wallnöfer
a0e9814c0d s4:dsdb - remove "samdb_result_uint", "samdb_result_int64", "samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-15 08:36:01 +11:00
Andrew Bartlett
5742f5115c libcli/security Use common security.h
This includes dom_sid.h and security_token.h and will be moved
to the top level shortly.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
2010-10-12 03:35:36 +00:00
Andrew Bartlett
911169451b s4-credentials Allocate ldb result on correct memory context 2010-10-12 02:54:16 +00:00
Andrew Bartlett
0487ef0a70 libcli/security Add debug class to security_token_debug() et al
This will allow it to replace functions in source3 that use debug classes.

Andrew Bartlett
2010-10-12 02:54:16 +00:00
Jelmer Vernooij
484939db0f samdb_common, ntlm: Add missing dependency on libsamba-hostconfig. 2010-10-11 15:13:16 +00:00
Andrew Bartlett
42127cdbb0 s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()

This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()

Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.

Andrew Bartlett
2010-10-11 13:02:16 +00:00