1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

24 Commits

Author SHA1 Message Date
Andrew Bartlett
6fe8b2f608 r2119: Noticed by jra:
Clean up use of unitilaised variable.

Andrew Bartlett
(This used to be commit e8d0246882)
2007-10-10 12:58:26 -05:00
Andrew Bartlett
5a4845ff8b r1752: Fix compile bugs on C (rather than C++) tolerant compilers.
Andrew Bartlett
(This used to be commit 0949b72645)
2007-10-10 12:57:53 -05:00
Andrew Bartlett
1c9216f36c r1731: Add server-side SPNEGO support to Samba (disabled, until SMB signing
is reworked).

Andrew Bartlett
(This used to be commit 73ee549b8c)
2007-10-10 12:57:51 -05:00
Andrew Bartlett
188a8014ea r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, and
allow tests for 'unwrapped' krb5, allowed by Win2k3.

SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).

Andrew Bartlett
(This used to be commit 8a0f7bf5e2)
2007-10-10 12:57:44 -05:00
Andrew Bartlett
b3c46674a6 r1521: Updates to our SMB signing code.
- This causes our client and server code to use the same core code,
  with the same debugs etc.
- In turn, this will allow the 'mandetory/fallback' signing algorithms
  to be shared, and only written once.

Updates to the SPNEGO code
- Don't wrap an empty token to the server, if we are actually already finished.

Andrew Bartlett
(This used to be commit 35b83eb329)
2007-10-10 12:57:39 -05:00
Andrew Bartlett
ed03516c91 r1475: More kerberos work
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
 - The client code now remembers the hostname it connects to

- We now kinit for a user, if there is not valid ticket already

- Re-introduce clock skew compensation

TODO:
 - See if the username in the ccache matches the username specified
 - Use a private ccache, rather then the global one, for a 'new' kinit
 - Determine 'default' usernames.
  - The default for Krb5 is the one in the ccache, then $USER
  - For NTLMSSP, it's just $USER

Andrew Bartlett
(This used to be commit de5da66939)
2007-10-10 12:57:34 -05:00
Andrew Bartlett
88002b851b r1462: GENSEC Kerberos and SPENGO work:
- Spelling - it's SPNEGO, not SPENGO
 - SMB signing - Krb5 logins are now correctly signed
 - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.

Andrew Bartlett
(This used to be commit cea578d6f3)
2007-10-10 12:57:32 -05:00
Jelmer Vernooij
396a729686 r1449: Use the config system somewhat better in libcli/auth
(This used to be commit 69de0d95c5)
2007-10-10 12:56:57 -05:00
Stefan Metzmacher
7caf17319a r1421: fix a uninitialized var (thanks valgrind:-)
add a view debug messages

metze
(This used to be commit 79953dccc1)
2007-10-10 12:56:54 -05:00
Andrew Bartlett
e59e82b902 r1372: Remove the 'default' case from the SPENGO state machine, and fix up
some compiler warnings that allowed us to see.

Andrew Bartlett
(This used to be commit 1a6c2018dd)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
7c139a6815 r1367: SPNEGO know uses gensec_subcontext_start() in all places
metze
(This used to be commit f737932402)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
4b7cd833a0 r1366: handle the case where the client need to send the negTokenInit before
getting something from the server.
(this is needed by SPNEGO in dcerpc)

metze
(This used to be commit ec978555f0)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
c688a1e18f r1365: in SPNEGO_SERVER_TARG we should not check the spnego_negResult
because the client don't send this

metze
(This used to be commit b1217a4ef6)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
6f0d8e67ff r1364: the SPNEGO_SERVER_TARG state is different from the SPNEGO_CLIENT_TARG
the client checks but not send spnego_negResult

metze
(This used to be commit 49e4d375e9)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
1432bb01f3 r1360: - remove unused state SPNEGO_CLIENT_SEND_MECHS
- remove unsed gensec_user forward, it's done by the gensec layer know

metze
(This used to be commit e19e5a91f2)
2007-10-10 12:56:53 -05:00
Andrew Bartlett
14e8aab182 r1358: Re-indent the SPENGO implementation, and work on the basis of a
switch, rather than a series of if statements.

Also start to use the GENSEC subcontexts, and add some comments
explaining some of the 'odd' logic in parts.

I'll probably break these out into subfunctions soon.

Thanks to metze for getting me to do this :-)

Andrew Bartlett
(This used to be commit 73e03596d3)
2007-10-10 12:56:53 -05:00
Stefan Metzmacher
49d6c46fa3 r1350: - init nt_status- found by valgrind
- set auth_type = DCERPC_AUTH_TYPE_SPNEGO

metze
(This used to be commit 7354521f3c)
2007-10-10 12:56:52 -05:00
Stefan Metzmacher
fff5d40ab5 r1347: - remove typedef
- pass down gensec_user to the sub context

- if segfault when mechType is NULL

metze
(This used to be commit 3f84263c27)
2007-10-10 12:56:51 -05:00
Stefan Metzmacher
50ce5fd990 r1346: revert my last spnego changes
metze
(This used to be commit 7b8237bfb3)
2007-10-10 12:56:51 -05:00
Stefan Metzmacher
8bebc53df8 r1344: add gensec_start_mech_by_name()
some gensec spnego fixes
(NULL pointer and length checks)

metze
(This used to be commit 41ff6d0cd4)
2007-10-10 12:56:51 -05:00
Andrew Bartlett
dc9f55dbec r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.

This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal).  This causes
changes in all the existing gensec users.

Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.

Gensec has also taken over the role of auth/auth_ntlmssp.c

An important part of gensec, is the output of the 'session_info'
struct.  This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.

The schannel code is reworked, to be in the same file for client and
server.

ntlm_auth is reworked to use gensec.

The major problem with this code is the way it relies on subsystem
auto-initialisation.  The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.

There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
  valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.

Andrew Bartlett
(This used to be commit 07fd885fd4)
2007-10-10 12:56:49 -05:00
Stefan Metzmacher
68e8c18e33 r1229: the name of the protocol should be in first place of a function name
rename <read|write|free>_spnego_data() into
spnego_<read|write|free>_data

metze
(This used to be commit 3f57c8f596)
2007-10-10 12:56:46 -05:00
Andrew Bartlett
be081037e0 r1200: Add 'gensec', our generic security layer.
This layer is used for DCERPC security, as well as ntlm_auth at this
time.  It expect things like SASL and the CIFS layer to use it as
well.

The particular purpose of this layer is to introduce SPENGO, which
needs generic access to the actual implementation mechanisms.

Schannel, due to it's 'interesting' setup properties is in GENSEC, but
is only in the RPC code.

Andrew Bartlett
(This used to be commit 902af49006)
2007-10-10 12:56:44 -05:00
Andrew Bartlett
bf598954f7 r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts.
I have moved the SPNEGO and Kerberos code into libcli/auth, and intend
to refactor them into the same format as NTLMSSP.

Andrew Bartlett
(This used to be commit 58da78a746)
2007-10-10 12:56:44 -05:00