1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1643 Commits

Author SHA1 Message Date
Andrew Bartlett
5131359eda auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-30 01:26:12 +02:00
Andrew Bartlett
62373b8a50 lib/krb5_wrap: Move enctype conversion functions into a simple helper file 2012-08-28 07:57:29 +10:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Andreas Schneider
18692b060f s4-auth: Make sure we use the correct credential state.
If we create a copy of the credential state we miss updates to the
credentials.

To establish a netlogon schannel connection we create client credentials
and authenticate with them using

dcerpc_netr_ServerAuthenticate2()

For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.

After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.

After that we continue and need the client credentials to call

dcerpc_netr_LogonGetCapabilities()

to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.

The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.

dcerpc_netr_SamLogonWithFlags.

We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 13:26:37 +02:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
e49656e2ee auth: Use only security_token_is_system to determine that a user is SYSTEM
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.

Andrew Bartlett

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19 10:38:13 +02:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Michael Adam
23a73c51ac s4:kerberos: fix typos in kerberos-notes.txt 2012-06-12 07:21:46 +02:00
Michael Adam
6b2175c834 s4:gensec: fix a comment typo 2012-06-12 07:21:45 +02:00
Andrew Bartlett
1e28aa147f build: Add missing deps and make MESSAGING a private library
To remove finddcs_nbt these missing deps need to be added.  These
subsystems linked to to implicit dependencies provided by finddcs.
Due to the new arrangmenet of subsystems, MESSAGING needs to be a
private library to avoid being a source of duplicate symbols.

Andrew Bartlett
2012-06-07 06:45:06 +02:00
Andrew Bartlett
65bd5eb04b lib/krb5_wrap: Move krb5_princ_size helper to source4 as it is only used there
This is also where the related krb5_princ_component is declared.

Also fix the configure check to use the correct name

This helps the autoconf build on Heimdal.

Andrew Bartlett
2012-05-30 12:55:39 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
2ddf89a2bc Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-23 17:51:50 +03:00
Simo Sorce
ad945bc68f gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
2012-05-23 17:51:49 +03:00
Jelmer Vernooij
01c502ddd4 pygensec: Fix init of variable if not specified.
Thanks to Wolfgang Sourdeau for reporting this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
2012-05-18 04:50:17 +02:00
Stefan Metzmacher
90c309b053 s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" option
metze
2012-05-17 20:04:34 +02:00
Stefan Metzmacher
6b38d0274a s4:auth/gensec: implement gensec_gssapi_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
677c4fd2c1 s4:auth/gensec_gssapi: add missing 'break' statements
metze
2012-05-17 20:04:32 +02:00
Stefan Metzmacher
943cb79596 s4:auth/gensec_gssapi: remember the expire time
metze
2012-05-17 20:04:31 +02:00
Stefan Metzmacher
7cb4acd5dd s4:auth: remove unused auth_server.c
metze
2012-05-15 08:18:29 +02:00
Andreas Schneider
7f9e4d70b9 s4-auth: Use smb_krb5_make_pac_checksum.
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-08 06:42:56 +02:00
Alexander Bokovoy
822e6794f0 s4:auth/kerberos: don't do tracing in MIT build
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-04 16:51:29 +02:00
Simo Sorce
eb9e3e8a54 auth-session: MIT doesn't have import/export cred yet
For now let's just loose this functionality with the MIT build.
gss_import/export_cred should be availa ble when MIT 1.11 is released and this
code is used only in some proxy scenario. Not normally needed for common
configurations.
2012-05-04 16:51:29 +02:00
Simo Sorce
6bec64b12a s4-auth-krb: Make srv_keytab.c build against MIT Kerberos 2012-05-04 16:51:29 +02:00
Simo Sorce
548046ff4d Fix incompatible assignment warning 2012-05-04 16:51:29 +02:00
Simo Sorce
205b032061 Fix compiler warning 2012-05-04 16:51:29 +02:00
Simo Sorce
cf7d15e075 s4-auth-krb: Use compat code to initialize keyblock contents 2012-05-04 16:51:29 +02:00
Simo Sorce
62f3be7af3 s4-auth-krb: Disable code in MIT build
Unfortunately these functions are not available in MIT and there is no easy
workaround or compat funciton I can see at this stage. Will fix properly once
MIT gets the necessary functions or if another workaround can be found.
2012-05-04 16:51:28 +02:00
Simo Sorce
c2f663263c Move keytab_copy to krb5samba lib
This is a helper fucntion that uses purely krb5 code, so it belongs to
krb5samba which is the krb5 wrapper for samba.
2012-05-04 16:51:28 +02:00
Simo Sorce
94b9af6ac6 Fix keytab_copy to compile with MIT librariues too 2012-05-04 16:51:28 +02:00
Simo Sorce
07953e19fc keytab_copy: Fix style, whitespaces 2012-05-04 16:51:28 +02:00
Simo Sorce
57dc8aa1b2 kerberos_pac: Fix code to work with MIT too 2012-05-04 16:51:28 +02:00
Simo Sorce
a2de8a12d3 s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5
Make it clearly a gensec_krb5 accessory file.
This function should never be used anywhere else.
This function was copied out from the Heimdal tree and is kept in a separate
file for clarity and to keep the original license boilerplate.
2012-05-04 16:51:28 +02:00
Simo Sorce
3109a3de1f Split normal kinit from s4u2 flavored kinit
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
2012-05-04 16:51:28 +02:00
Simo Sorce
29d284c245 Move kerberos_kinit_password_cc to krb5samba lib 2012-05-04 16:51:28 +02:00
Simo Sorce
38a5a2c5c5 Move kerberos_kinit_keyblock_cc to krb5samba lib
Make it also work with MIT where krb5_get_in_tkt_with_keyblock is not
available.
2012-05-04 16:51:28 +02:00
Simo Sorce
aa1a0d80de krb-init: define out heimdal specific stuff in mitkrb build 2012-05-04 16:51:28 +02:00
Simo Sorce
9a585a3141 s4-auth-krb: avoid useless condition
Code bails out with ENOMEM 2 lines a bove if config_file is NULL anyways
2012-05-04 16:51:28 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
f7070c90b9 For now just disable this Heindal specific stuff in the MIT build 2012-04-23 16:40:49 -04:00
Simo Sorce
110dad8c9e Make krb5 context initialization not heimdal specific
Turn the logging data to an opaque pointer.
Ifdef code and use MIT logging function when built against system MIT.
2012-04-23 16:40:05 -04:00
Simo Sorce
70d44a9a17 Fix Error messages 2012-04-19 15:55:30 +02:00
Alexander Bokovoy
f9ec6ff073 s4-auth: Make sure ldb context is initialized even if not passed by Python code
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Sat Apr 14 00:21:00 CEST 2012 on sn-devel-104
2012-04-14 00:20:59 +02:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
3fd6deda7d auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5.  Move them there and make them static.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00