1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1281 Commits

Author SHA1 Message Date
Jelmer Vernooij
3fea9df85a s4-param: Check type when converting python object to lp_ctx, fix some
memory leaks.
2010-09-22 17:48:23 -07:00
Jelmer Vernooij
63031a2a78 pygensec: Implement start_mech_by_name(). 2010-09-22 17:48:23 -07:00
Jelmer Vernooij
e12e661f35 s4-selftest: Move more tests to scripting/python, simplifies running of tests. 2010-09-21 22:54:38 -07:00
Andrew Bartlett
6832d5e933 libcli/auth/ntlmssp Be clear about talloc parents for session keys
The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-16 21:09:17 +10:00
Andrew Tridgell
89827af525 s4-kerberos: obey the credentials setting for forwardable tickets
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
efb37a5b8c s4-pycredentials: expose forwardable setting via python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
6a82997285 s4-credentials: added ability to control forwardable attribute on krb5 tickets
with the latest bind9 nsupdate, we need to be able to control if the
ticket we use is forwardable

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
5b02cf1eb0 s4-auth: allow multiple active auth backends
when we are an RODC we need to be able to allow multiple auth backends
to process a single auth request. First the sam backend will try to
authenticate, using locally stored passwords. If this backend can't
find local passwords then it will try the winbind backend and
authenticate via a writeable DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Andrew Tridgell
13a8745cae s4-rodc: add a trigger message for REPL_SECRET to auth_sam
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Volker Lendecke
ba726b5580 s4: Fix two typos 2010-09-14 22:26:17 -07:00
Andrew Bartlett
e13ed6fc78 s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a header 2010-09-11 22:32:43 +10:00
Andrew Tridgell
837230f85e s4-credentials: get all attributes in cli_credentials_set_secrets()
This ensures we get whenChanged, which is needed by the s3 winbind
code to ensure we don't repeatedly try to change the password
2010-09-11 22:32:43 +10:00
Stefan Metzmacher
8202cf7966 s4:auth_winbind: use irpc_binding_handle_by_name()
metze
2010-09-03 17:01:56 +02:00
Stefan Metzmacher
705f4c2056 s4:auth_winbind: remove unused winbind_samba3 backend
This uses the winbind protocol directly, which needs to be avoided!

metze
2010-09-03 17:00:16 +02:00
Stefan Metzmacher
0f35d51ab6 s4:auth_winbind: fix segfault in winbind_check_password_wbclient()
We should only look at err if WBC_ERR_AUTH_ERROR is returned.

metze
2010-09-03 16:53:35 +02:00
Stefan Metzmacher
5b0e0acc81 s4:auth_winbind: fix compiler warnings
metze
2010-09-03 13:40:00 +02:00
Andrew Tridgell
cecc58e058 s4-auth: make the disabled acct messages a bit less verbose
raise the debug level

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-02 13:37:08 +10:00
Matthias Dieter Wallnöfer
e4afcd62bc s4:credentials_krb5.c - quiet a Solaris warning 2010-08-27 19:11:44 +02:00
Matthias Dieter Wallnöfer
53a3234703 s4:ntlm/auth.c - add a whitespace in a debug output 2010-08-26 21:06:07 +02:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
2010-08-23 08:50:55 +10:00
Andrew Bartlett
23dc2e4244 s4:auth Change {anonymous,system}_session to use common session_info generation
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.

Andrew Bartlett
2010-08-18 09:50:45 +10:00
Andrew Bartlett
2ceb3d8d35 s4:auth Avoid doing database lookups for NT AUTHORITY users 2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9 s4:auth Remove system_session_anon() from python bindings 2010-08-18 09:50:44 +10:00
Andrew Bartlett
a68a5592c5 s4:auth Remove the system:anonymous parameter used for the LDAP backend
This isn't needed any more, and just introduces complexity.
2010-08-18 09:50:44 +10:00
Andrew Bartlett
d99ff145ae s4:auth Remove special case constructor for admin_session()
There isn't a good reason why this code is duplicated.

Andrew Bartlett
2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00
Andrew Bartlett
75adca63f2 libcli/auth Make the source3/ implementation of the NTLMSSP server common
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 16:22:04 +02:00
Andrew Bartlett
1e83b36afb libcli/auth Move some source3/ NTLMSSP functions to the common code.
libcli/auth Use true and false rather than True and False in common code

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 11:56:33 +02:00
Andrew Tridgell
56db40d5fd s4-build: use @PACKAGE_VERSION@ in s4 pc.in files
this gets replaced by vnum from the build rule
2010-08-09 12:27:23 +10:00
Andrew Bartlett
4b47245a9d s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layer
This changes the talloc treatment of the session keys to avoid
memory duplication - the session key has always been allocated
onto the ntlmssp_context by the auth subsystem callback.

The remainder of the changes are cosmetics, such as avoiding
using lm_session_key as a pointer (and avoiding then doing an
if statement on something that is always true).

Andrew Bartlett
2010-08-07 18:56:35 +10:00
Andrew Bartlett
6644f48d72 s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/
By re-adding this wrapper, the actual guts of these functions are now very
similar to that found in source3/libsmb/ntlmssp.c

This should make it easier to merge the implementations.

Andrew Bartlett
2010-08-07 18:39:48 +10:00
Andrew Bartlett
1979486c8e s4:ntlmssp Always setup the session keys and signing state
While it would save some CPU to only setup the session key when
requested (like windows does), this instead matches the
implementation in source3/libsmb/ntlmssp.c

We could re-add this later after the codebase is merged.

Andrew Bartlett
2010-08-07 18:39:47 +10:00
Andrew Bartlett
a2607a62f3 s4:ntlmssp Adjust Samba4 ntlmssp code to look more like the code in Samba3.
This does not change behaviour, and some of the whitespace isn't ideal, but
at the moment making this code more similar, even in cosmetics, will assist
later merge efforts.

Andrew Bartlett
2010-08-06 16:14:11 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Nadezhda Ivanova
ee56f74cae Fixed system_session_anon to actually make an anonymous session
It seems that because the flag is false, this always used the supplied credentials
rhather than establish anonymous connection.
2010-07-14 10:30:40 +03:00
Matthias Dieter Wallnöfer
bf844aed5b s4:auth/session.c - suppress a warning when freeing "group_string" 2010-06-30 09:38:12 +02:00
Anatoliy Atanasov
2821abee1f s4:auth/session.c - free "group_string" when not needed
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-30 09:17:06 +02:00
Matthias Dieter Wallnöfer
2198831e6b Revert "s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN."
This reverts commit fa9557fee3.

See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29 15:14:01 +02:00
Andrew Bartlett
f41e711097 s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDC
The KDC needs this to determine what encryption types an entry supports

Andrew Bartlett
2010-06-29 16:59:30 +10:00
Andrew Bartlett
5167b97ff2 s4:kerberos Add functions to convert msDS-SupportedEncryptionTypes
This will allow us to interpret this attibute broadly in Samba.

Andrew Bartlett
2010-06-29 16:59:30 +10:00
Andrew Bartlett
94637e5fe4 s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.

(The KDC reads this entry to determine what the server supports)

Andrew Bartlett
2010-06-29 16:59:22 +10:00
Matthias Dieter Wallnöfer
b6eb17eb1e s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvement
We can save one search operation if "only_childs" is false and when we had no
SID passed as extended DN component.
2010-06-28 20:31:37 +02:00
Matthias Dieter Wallnöfer
a782eaa2fd s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/comments 2010-06-28 20:31:37 +02:00
Matthias Dieter Wallnöfer
03ffed73db s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where possible
And always catch LDB errors
2010-06-28 20:31:37 +02:00
Endi S. Dewata
fa9557fee3 s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-28 19:33:44 +02:00
Matthias Dieter Wallnöfer
0f45536279 s4:auth/gensec/gensec_gssapi.c - reorder constructor
To have the same order as in the structure definition.
2010-06-24 15:13:40 +02:00
Andrew Tridgell
4cb423f527 s4-python: python is not always in /usr/bin
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24 18:46:57 +10:00
Wilco Baan Hofman
3895b8fbf8 Revert "Add old functionality back which was removed in commit 589a42e2."
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f.

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 17:19:12 +02:00
Wilco Baan Hofman
626db5c3b5 Add old functionality back which was removed in commit 589a42e2.
Andrew, please review!

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 17:19:10 +02:00