1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1815 Commits

Author SHA1 Message Date
Stefan Metzmacher
f0afefefe4 s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size()
We need to calculate the signature length based on the negotiated
flags. This is most important on the server side where,
gss_accept_sec_context() doesn't get gss_want_flags, but fills
gss_got_flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
cca980eb51 s4:gensec_krb5: also report support for GENSEC_FEATURE_SIGN as krb5_mk_priv() provides sign and seal
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Andreas Schneider
28eae08ef7 gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144
2016-09-29 11:56:41 +02:00
Andreas Schneider
64b2b0dacd gensec_krb5: Create a MIT Kerberos gensec_krb5_session_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-09-29 08:02:18 +02:00
Volker Lendecke
0a42a4c14b wbclient: "ev" is no longer used in wbc_sids_to_xids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:36 +02:00
Andreas Schneider
4a8b588dc0 gensec_krb5: Do not leak memory of target_principal
CID 1372504

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  9 04:20:04 CEST 2016 on sn-devel-144
2016-09-09 04:20:04 +02:00
Andreas Schneider
2ac297562f krb5_wrap: Rename kerberos_kinit_s4u2_cc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:16 +02:00
Andreas Schneider
696cfcb3c0 krb5_wrap: Rename kerberos_kinit_password_cc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:16 +02:00
Andreas Schneider
15c5dd700c krb5_wrap: Rename kerberos_kinit_keyblock_cc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:16 +02:00
Andreas Schneider
1877950250 krb5_wrap: Rename get_krb5_smb_session_key()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
e8632e2af5 krb5_wrap: Rename kerberos_free_data_contents()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Andreas Schneider
81917a1162 krb5_wrap: Rename setup_kaddr()
Use a better and consistent name and switch the arguments to reflect the
name.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Andreas Schneider
faa3bef690 gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144
2016-08-30 15:24:02 +02:00
Andreas Schneider
7f9a075d9c gensec_krb5: Use implementation idependent krb5_mk_req_extended()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:15 +02:00
Andreas Schneider
739a7adaef gensec_krb5: Use kerberos_free_data_contents() to free krb5 data
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:15 +02:00
Andreas Schneider
8268501972 gensec_krb5: Only set the event context with Heimdal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:15 +02:00
Andreas Schneider
7ea7b60649 gensec_krb5: Use krb5_wrap setup_kaddr() to convert address
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:15 +02:00
Andreas Schneider
ab8628ac7a gensec_krb5: Rename smb_rd_req_return_stuff()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:14 +02:00
Andreas Schneider
de224d7006 gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:14 +02:00
Stefan Metzmacher
8b1f5cad95 auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:22 +02:00
Stefan Metzmacher
3eba60aa65 auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6
This includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
b67ea0e123 s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
6257003dff s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
432e83bf5b s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()
This is more generic and matches all other places.

As this is only used in the KDC it's not a real logic change.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
853c2a6d8a s4:auth/sam: update the logonCount for interactive logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
869616ceb9 s4:auth/sam: don't update lastLogon just because it's 0 currently
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
1acd477960 s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
b73cb40dd2 s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
9be4860511 s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Andreas Schneider
a737efe2bd s4-ntlm: Fix a NULL pointer dereference in error path
Found by clang compiler.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 22 23:21:33 CEST 2016 on sn-devel-144
2016-06-22 23:21:33 +02:00
Stefan Metzmacher
d247dceaaa s4:auth_anonymous: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Stefan Metzmacher
8704958fb3 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:15 +02:00
Stefan Metzmacher
4c4829634f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
0f6713826d s4:pygensec: make sig_size() and sign/check_packet() available
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Aurelien Aptel
34ae5c5083 s4/auth/ntlm/auth_unix.c: add parens
operator | has lower precedence than ?:
so add parens to have the expected result.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 00:08:11 +01:00
Andrew Bartlett
ffc7536330 pyauth: Use pytalloc_BaseObject_PyType_Ready()
This changes pyauth to use talloc.BaseObject() just like the PIDL output

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Andrew Bartlett
0f35167d76 pygensec: Use pytalloc_BaseObject_PyType_Ready()
This changes pygensec to use talloc.BaseObject() just like the PIDL output

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Andrew Bartlett
ec5d63f9ed pygensec: Use pytalloc_steal() in gensec_start_{client,server}()
This is better than casting to get to the pytalloc_Object structure directly

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Andrew Bartlett
0e58705a5b python: Remove Python 2.4 support macros
We require Python 2.6

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2016-01-07 23:33:10 +01:00
Volker Lendecke
b7f0e29fd2 lib: Use asn1_current_ofs()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
a93946b2fe lib: Use asn1_extract_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
8cfb6a3139 lib: Use asn1_set_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Douglas Bagnall
795f4729ca auth: keep track of lastLogon and lastLogonTimestamp
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.

lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.

The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.

The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-15 00:08:57 +01:00
Douglas Bagnall
d097e813ff auth: increase resolution for password grace period calculation
This changes the resolution of "now" from 1s to 100ns.

It should have little effect in practice, unless users are in the
habit of playing chicken with the grace period.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-15 00:08:57 +01:00
Andreas Schneider
0733ce3c6e gensec: Fix picky unused variable errors
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-11-23 15:17:18 +01:00
Andreas Schneider
e0504a80dc s4-auth: Fix picky unused variable warning
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-11-23 15:17:18 +01:00