1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

258 Commits

Author SHA1 Message Date
Andreas Schneider
ef12caea07 auth:creds: Add python bindings for (get|set)_smb_ipc_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
71d65278e1 auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
098774b244 auth:creds: Add python bindings for (get|set)_smb_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
58e0abc58f auth:creds: Add cli_credentials_(get|set)_smb_signing()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
59a1272a6c auth:creds: Remove unused credentials autoproto header
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Stefan Metzmacher
e913503540 auth:creds: Introduce CRED_SMB_CONF
We have several places where we check '> CRED_UNINITIALISED',
so we better don't use CRED_UNINITIALISED for values from
our smb.conf.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-19 16:22:40 +00:00
Volker Lendecke
546a0f99e8 auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 17 20:59:51 UTC 2020 on sn-devel-184
2020-08-17 20:59:51 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Andrew Bartlett
5c1867ba45 py3: Remove #define PyInt_FromLong PyLong_FromLong
This allows us to end the use of Python 2/3 compatability macros.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power
2020-03-23 19:12:43 +00:00
Andrew Bartlett
8fbdff5c3d auth/credentials: Test connecting to LDAP with a "virtual user" style account
This type of account is often used by e-mail hosting platforms
that do not wish to create an AD domain for each DNS domain that
they host mail for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-02-14 15:47:41 +00:00
Douglas Bagnall
c247afbda0 pytests: heed assertEquals deprecation warning en-masse
TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-02-07 10:37:37 +00:00
Isaac Boukris
a5548af018 smbdes: convert E_P24() and SMBOWFencrypt to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:30 +00:00
Andreas Schneider
d3fffca5e9 auth:pycreds: Check return code of netlogon_creds_client_authenticator()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andrew Bartlett
fefd95091c auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:30 +00:00
Douglas Bagnall
a5e8a5e05b auth/pycreds/encrypt_netr_crypt_password: don't pretend arg is optional
The "|O" signature is saying the password argument is optional, which
makes no sense in terms of the funxtion and immediately leads to a
TypeError (or until last commit, segfault). Removing the "|" leaves it
with a TypeError, but it is better worded and faster.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
f8fb6f3261 auth/pycreds/encrypt_netr_crypt_password: don't segfault
Non-talloc objects were treated as talloc objects, to no good effect

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
0d0a88fc6a pycredentials.h: use import to ensure python type correctness
Because we include pyrpc_util.h, pycredentials doesn't need its own
PyStringFromStringOrNull().

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
c9c1d44488 auth/pycredentials: always check self is a Credentials object
This prevents a segfault with

    credentials.Credentials.guess(x)

where x is not a Credentials object.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:25 +00:00
Andreas Schneider
67e6a9af2c libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andrew Bartlett
8f4c30f785 lib/crypto: move gnutls error wrapper to own subsystem
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-27 12:54:22 +00:00
Andrew Bartlett
34f9a089d8 py3: Remove PyStr_FromString() compatability macro
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2019-06-24 17:24:27 +00:00
Andreas Schneider
b21af2f173 auth:creds: Use gnutls_error_to_ntstatus() in credentials_ntlm
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-24 06:11:17 +00:00
Andreas Schneider
d3ea318ba0 auth:creds: Use GnuTLS MD5 in ntlm creds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:21 +00:00
Noel Power
cbdd3d0c26 squash 'cast between incompatible function types' warning
To avoid warning above produced by using
-Wcast-function-type we;

  + ensure PyCFunctions of type METH_NOARGS defined dummy arg
  + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG
    macro

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-05-16 17:55:17 +00:00
Douglas Bagnall
4954a96e45 auth/creds/torture: add a test showing segfault
This file isn't actually run...

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
2bd79a0cd0 auth/creds/guess: avoid segfault with NULL lp (CID 241187)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Samuel Cabrero
d88f1c82b2 credentials: Workaround krb5_cc_remove_cred not implemented in MIT kerberos
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Apr 29 19:15:48 UTC 2019 on sn-devel-184
2019-04-29 19:15:48 +00:00
Samuel Cabrero
937ad9d2a0 credentials: Initialize krb5 client to retrieve creds from ccache
MIT kerberos require krb5_creds.client to be initialized to match
krb5_creds.server with the cached credentials.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-04-29 18:10:09 +00:00
Andreas Schneider
5c7f0a6902 auth:creds: Prefer the principal over DOMAIN/username when using NTLM
If we want to authenticate using -Wadmin@otherdomain the DC should do
take care of the authentication with the right DC for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:10 +00:00
Andrew Bartlett
fdb6305c86 build: Remove bld.gen_python_environments()
This was part of --extra-python support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-03-21 04:06:14 +00:00
Noel Power
a8e10a1249 Decrement references to python objects passed to Py_BuildValue
Py_BuildValue when processing format 'O' will
  'Pass a Python object untouched (except for its reference count,
   which is incremented by one'

Basically this means if you are using a new reference to a PyObject
to pass to BuildValue (to be used with the 'O' format) the reference
*isn't* stolen so you really do need to DECREF it in order to ensure
it gets cleaned up.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-07 13:44:30 +01:00
Andreas Schneider
246f7dd762 auth:creds: Use C99 initializer for PyMethodDef
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-01-28 10:29:21 +01:00
Noel Power
efc4570d6f auth/credentials: use 'et' as format for ParseTuple with python2
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-01-13 00:40:26 +01:00
Joe Guo
edfb6cb822 PY3: change shebang to python3 in misc dirs
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Dec 14 18:00:40 CET 2018 on sn-devel-144
2018-12-14 18:00:40 +01:00
Noel Power
cc11f71820 auth/credentials/tests: Python 3.6 avoid deepcopy error
In PY3 both deepcopy & (shallow)copy fail with

  Traceback (most recent call last):
    File "auth/credentials/tests/bind.py", line 42, in <module>
      creds_machine = copy.copy(creds)
    File "/usr/lib64/python3.6/copy.py", line 96, in copy
      rv = reductor(4)
  TypeError: can't pickle credentials.Credentials objects

This patch avoids the nasty copies but creating and populating the
Credential objects instead of copying

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-10 10:38:24 +01:00
Noel Power
9b18748c70 auth/credentials: PY3 set_password should decode from unicode 'utf8'
set_password processes input using ParseTuple with "s" format, this
accepts string or unicode but...

Some py2 code is incorrectly using code like

   credentials.set_password(pass.encode('utf8'))

however that won't work in PY3. We should just make sure the string
retrieved from unicode passed in is encoded with 'utf8'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-10 10:38:21 +01:00
Volker Lendecke
a167014554 krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:15 +01:00
Volker Lendecke
c39526eb7d credentials: Remove an unnecessary talloc_steal()
ccc was already allocated off cred, this talloc_steal was a no-op.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:14 +01:00
Volker Lendecke
730beac162 credentials: Fix set_ccache with empty creds cache
This is an extension of bb2f7e3aee: Without this fix in the
"empty ccache" case we never set cred->ccache, so the whole call to
cli_credentials_set_ccache became pointless

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:14 +01:00
Volker Lendecke
c59f5f2977 credentials: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:14 +01:00
Volker Lendecke
f43ac073b2 credentials: Only do shallow copies of valid ccaches
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:14 +01:00
Douglas Bagnall
3d5ba7fcfa auth/cred/tests/bind: remove unused import
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2018-10-25 21:45:56 +02:00
Noel Power
e8fec94827 PY3: fix "TabError: inconsistent use of tabs and spaces"
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-27 01:54:27 +02:00
Noel Power
3fd9b77ad4 auth/credentials: py2/py3 credential key needs to return bytes
new_client_authenticator returns a dictionary. The key
'credential' needs to return bytes in Python3, without this
change the the code will attempt to convert the binary data to
a string (resulting sometimes in decode errors).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-05 23:27:12 +02:00
Alexander Bokovoy
f3e349bebc krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)

The salt principal for the BLA$ user object was generated wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep  5 03:57:22 CEST 2018 on sn-devel-144
2018-09-05 03:57:22 +02:00
Joe Guo
115f2a71b8 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:30 +02:00
Joe Guo
211c9a5f85 PEP8: fix E302: expected 2 blank lines, found 1
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:29 +02:00
Joe Guo
5d532543ab PEP8: fix E128: continuation line under-indented for visual indent
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:27 +02:00
Joe Guo
bbb9f57603 PEP8: fix E127: continuation line over-indented for visual indent
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:26 +02:00
Noel Power
26c4084ad2 auth/credentials/test: py2/py3 compat always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
2018-05-13 00:24:35 +02:00
Joe Guo
656ec98e5b pycredentials: add py_creds_get_secure_channel_type
We have only set, need get.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:28 +02:00
Douglas Bagnall
a66f941619 auth/pycredentials: correct spelling of reponse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Volker Lendecke
1aeac2f85d dbwrap: Remove calls to loadparm
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
7f09fd2b4c credentials: Call dbwrap_local_open with the correct tdb_flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Volker Lendecke
7e183a22a7 credentials: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Noel Power
4a58393b2b wscript_build: make sure we link extra-python versions of libraries
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-13 07:27:11 +02:00
Volker Lendecke
dff196a157 credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
2018-04-11 21:58:00 +02:00
Volker Lendecke
7a9df79660 credentials: Fix line length
... just because I'll modify that line in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
56a8739e22 credentials: Revert "credentials: Fix CID 1414796 Explicit null dereferenced"
This reverts commit 90c02ec64d.

We have code to take care of password==NULL, this CID must be fixed in a
different way

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
cc746385bf credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Volker Lendecke
90c02ec64d credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Noel Power
7b897d6d1c auth/credentials/test: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:24 +01:00
Andreas Schneider
654a66b72d auth:credentials: Avoid an 'else' branch
This moves the 'return' statement to the end of the 'case' and makes clear
we leave here.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
9a971bcd07 auth:credentials: Add FALL_THROUGH statements in credentials.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
d123638a82 auth:credentials: Add FALL_THROUGH statements in credentials_secrets.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Garming Sam
2e49a97777 tests/bind.py: Add a bind test with NTLMSSP with no domain
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-22 23:15:17 +01:00
kkplein
d39664fc66 define DBGC_AUTH class
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-08 03:34:17 +01:00
Andreas Schneider
11239f0759 credentials: Simplify cli_credentials_get_server_gss_creds()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan  3 14:37:12 CET 2018 on sn-devel-144
2018-01-03 14:37:12 +01:00
Stefan Metzmacher
7074a1b7e0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Volker Lendecke
adf46ff0ea cli_credentials: Apply some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 16 12:28:17 CEST 2017 on sn-devel-144
2017-09-16 12:28:17 +02:00
Volker Lendecke
1e4c32e3ff cli_credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  7 05:56:14 CEST 2017 on sn-devel-144
2017-09-07 05:56:14 +02:00
Volker Lendecke
f8b491fac4 cli_credentials: Fix a return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  5 23:06:42 CEST 2017 on sn-devel-144
2017-09-05 23:06:41 +02:00
Andrew Bartlett
dc940ad0e0 pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
9dd89361c2 pycredentials: Add get_name() for a credentials cache
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-28 00:25:13 +02:00
Andrew Bartlett
35cbed2934 pycredentials: Allow optional "name" argument to get_named_ccache() to be missing
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:13 +02:00
Stefan Metzmacher
5d99f9bb62 auth/credentials: remove unused smb_krb5_create_salt_principal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:47 +02:00
Stefan Metzmacher
3e33fb8a37 auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:47 +02:00
Gary Lockyer
8c909cd7fa pycredentials: Add support for netr_crypt_password
Add code to encrypt a netr_CryptPassword structure with the current
session key.  This allows the making of Netr_ServerPasswordSet2 calls
from python.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
b68a3374a5 pycredentials: add function to return the netr_Authenticator
Add method new_client_authenticator that returns data to allow a
netr_Authenticator to be constructed.
Allows python to make netr_LogonSamLogonWithFlags,
netr_LogonGetDomainInfo and similar calls

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
610919e5e6 auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
ee0eb1daa3 auth pycredentials: correct docstring of get_ntlm_response method
Fix copy paste error was incorrectly named "get_ntlm_username_domain"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
68ccebfa59 auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Petr Viktorin
40e409bf9e python3: Use "y#" instead of "s#" for binary data in PyArg_ParseTuple
The "s#" format code for PyArg_ParseTupleAndKeywords and Py_BuildValue
converts a char* and size to/from Python str (with utf-8 encoding under
Python 3).
In some cases, we want bytes (str on Python 2, bytes on 3) instead. The
code for this is "y#" in Python 3, but that is not available in 2.

Introduce a PYARG_BYTES_LEN macro that expands to "s#" or "y#", and use
that in:
- credentials.get_ntlm_response (for input and output)
- ndr_unpack argument in PIDL generated code

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-19 22:20:15 +02:00
Jan Engelhardt
e5f2dfacae build: correct package dependencies
The wscript_build files convey what header files belong to which
logical package. For example,

    # lib/util/wscript_build:
    bld.SAMBA_LIBRARY('samba-util',
                      public_headers='... data_blob.h ...'

    # auth/credentials/wscript_build:
    bld.SAMBA_LIBRARY('samba-credentials',
                      public_headers='credentials.h',

Now, credentials.h #includes <util/data_blob.h> and therefore,
samba-credentials.pc must have a Requires: samba-util.

Similarly for other parts.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 18:54:13 +02:00
Andrew Bartlett
43f52fc425 pycredentials: Add bindings for get_ntlm_response()
This should make testing of SamLogon from python practical

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Lumir Balhar
fe8bba5f81 python: wscript_build: Build some modules for Python 3
Update a few wscript_build files to build Python 3-compatible modules
for Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
1dab2b493e python: samba.credentials: Port pycredentials.c to Python3-compatible form.
Port Python bindings of samba.credentials module to
Python3-compatible form using macros from py3compat.h.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Alexander Bokovoy
ca8fd79393 credentials_krb5: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-08 18:00:11 +01:00
Stefan Metzmacher
b845f16d3c auth/credentials: try to use kerberos with the machine account unless we're in an AD domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:14 +01:00
Aurelien Aptel
669d2152cb auth: fix mem leak & use appropriate free function
coverity fix.

cli_credentials_set_principal does a strdup, we want to free 'name'
regardless of the result in 'ok'.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-01 01:26:12 +01:00
Andreas Schneider
f981e2c980 credentials: Create a smb_gss_krb5_copy_ccache() function
This sets the default principal on the copied ccache if it hasn't been
set yet.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:13 +01:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Andreas Schneider
30c0706530 auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
2a2c03c655 auth/credentials: remove const where we always return a talloc string
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Andreas Schneider
630867196b auth/credentials: Add missing error code check for MIT Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-24 17:16:06 +01:00
Andreas Schneider
ae5e654f88 auth/credentials: Add NULL check to free_dccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
c406bf6cd6 auth/credentials: Add NULL check in free_mccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
d1ad71ef9f auth/credentials: Move function to free ccaches to the top
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
59cc352ac6 auth/credentials: Add talloc NULL check in cli_credentials_set_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Stefan Metzmacher
05e8bfdc95 auth/credentials: change the parsing order of cli_credentials_parse_file()
We now first just remember the domain, realm, username, password values
(the last value wins).

At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.

It means the last 'username' line beats the domain, realm or password lines, e.g.:

 username=USERDOMAIN\username
 domain=DOMAIN

will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00