1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1643 Commits

Author SHA1 Message Date
Jelmer Vernooij
7e039c7dda source4/auth: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
557f830c4f source4/auth/ntlm: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Jelmer Vernooij
8823aeaf24 source4/auth/gensec: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Simo Sorce
a57c2b02f1 Fix public header not to include private (not installed) ones.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 17:01:20 +01:00
Günther Deschner
dc35442fb1 s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
Guenther
2011-03-04 01:18:42 +01:00
Jelmer Vernooij
59a077d8f5 Fix some types
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28 23:30:06 +01:00
Jelmer Vernooij
31d09b13d3 tdb: Use <tdb.h> to include tdb so system headers are found when building against system tdb. 2011-02-28 21:11:21 +01:00
Andrew Tridgell
74947964d9 build: moved spnego_parse.c into a common subsystem 2011-02-24 15:08:50 +11:00
Andrew Tridgell
8dbe665a0c build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Tridgell
d37a55548b build: moved libcli/auth/ntlmssp*.c into a common libcliauth.so library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Bartlett
e3821f2c40 s4-auth Move libcli/security/session.c to the top level
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.

Andrew Bartlett
2011-02-22 16:20:11 +11:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Günther Deschner
3722f65359 librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).
Simo, please check.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-14 18:54:38 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Tridgell
e26b1a6968 s4-krb5: authkrb5 should depend on ldb
this fixes the include path to add ldb

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Bartlett
d66150c14d libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
7e76367e59 s4-auth Fix setting of bad_password_count in auth_convert_user_info_dc_sambaseinfo()
Discovered during the convertion to auth_user_info.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
f1c0e9532d s4-auth Add auth.idl to encode auth subsystem structures in IDL
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Günther Deschner
34722c72f6 pam: share pam errors in a common location.
Guenther
2011-02-08 14:05:36 +01:00
Andrew Bartlett
7faa3be453 s4-python Ensure we add the Samba python path first.
This exact form of the construction is important, and we match on it
in the installation scripts.

Andrew Bartlett
2011-02-02 15:21:12 +11:00
Matthias Dieter Wallnöfer
7b9ead17f1 s4:auth/pyauth.c - temporarily add compatibility code for Python 2.4
This patch has been commited by request of Jelmer.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Jan 30 19:07:57 CET 2011 on sn-devel-104
2011-01-30 19:07:57 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
cce5231b4d s4-gensec Add prototype for gensec_ntlmssp_init()
Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
084b4e235e libcli/auth move ntlmssp_wrap() and ntlmssp_unwrap() into common code.
The idea here is to allow the source3/libads/sasl.c code to call this
instead of the lower level ntlmssp_* functions.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
6d93af433e s4-pyauth Fix AuthContext wrapper 2011-01-19 12:29:05 +01:00
Andrew Bartlett
a7e238d322 s4-auth Allow NULL methods to be specified to auth_context_create_methods()
This allows us to init an auth context that isn't going to do any NTLM
authentication, but is used by other subsystems.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Bartlett
902e18329f s4-gensec Remove special case 'for SASL' that is not required any more.
I've examined the code paths involved, and it appears an alternative
fix has been made in the ldap_server/ldap_bind.c code, and there is no
code path that uses this behaviour.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Tridgell
bc0230be1d pygensec: remove special case handling for None for buffers
always returning a buffer makes life easier for callers

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-19 01:35:22 +01:00
Andrew Bartlett
a1e1f02efe s4-gensec Extend python bindings for GENSEC and the associated test
This now tests a real GENSEC exchange, including wrap and unwrap,
using GSSAPI.  Therefore, it now needs to access a KDC.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 18 11:41:26 CET 2011 on sn-devel-104
2011-01-18 11:41:26 +01:00
Andrew Bartlett
24a4b9a738 s4-auth Extend python bindings to allow ldb and message to be specified
This will allow for some more tokenGroups tests in future.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
08051ae29e s4-pygensec Fix indentation of py_gensec_start_mech_by_name() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
147f075c47 s4-pygensec Add bindings for server_start() and update() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
969c1b58eb s4-pyauth Add bindings for auth_context_create() as AuthContext() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
017fbcdd10 s4-pyauth Use py_talloc_get_type() for greater talloc binding safety
This does a talloc check of the returned pointer before casting it.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
9b643c8c83 s4-gensec Don't steal the auth_context, reference it.
We don't want to steal this pointer away from the caller if it's been
set up from python.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Matthias Dieter Wallnöfer
32e7d7654f s4:auth/ntlm/auth_sam.c - fix call to "get_server_info_principal"
This should obviously point to the wrapper not the call itself.

Found out by Tru64 host build warning.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 18:05:59 CET 2011 on sn-devel-104
2011-01-15 18:05:59 +01:00
Andrew Tridgell
8df6504ffe s4-auth: fixed status return
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14 16:39:33 +11:00
Andrew Bartlett
edd3b033b8 s4-auth Add get and set methods for auth_session_info python wrapper
This allows the session key, security_token and credentials to be
manipulated from python.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2011-01-14 16:39:32 +11:00
Andrew Bartlett
ece6eae4d8 s4-auth Add function to obtain any user's session_info from a given LDB
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.

(this meant moving some parts out of the auth_sam code into the
containing library)

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Andrew Bartlett
c82269cf86 s4-auth use new dsdb_expand_nested_groups()
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Stefan Metzmacher
cbf6c88aa8 s4:gensec/schannel: use netsec_outgoing_sig_size() to get the signature size
metze
2011-01-03 16:44:28 +01:00
Jelmer Vernooij
3b4fd3573e heimdal_build: Add missing dependencies when building with system heimdal.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Jan  1 04:46:35 CET 2011 on sn-devel-104
2011-01-01 04:46:35 +01:00
Matthias Dieter Wallnöfer
71d0fd88d2 s4:auth/session.h - use a forward declaration for type "struct ldb_context"
And remove the now obsolete one for "struct tevent_context"

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Dec 21 11:17:34 CET 2010 on sn-devel-104
2010-12-21 11:17:34 +01:00
Andrew Bartlett
446f8a163c s4-auth Ensure that we always copy across domain groups
Even if we can't calculate the local groups (because we don't have a
local SAM to do it with) we still need to include the domain groups in
the session_info token.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 05:56:22 +01:00
Andrew Bartlett
6f7423c7f1 s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
1961d7a411 s4-auth rework session_info handling not to require an auth context
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
94a59b781c s4-auth Remove event context from privilage database handling
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
becaa18a46 s4-auth Remove obsolete comment
The code that this referred to went away in September with
7dbfeb0dc0

Andrew Bartlett
2010-12-21 15:10:37 +11:00
Matthias Dieter Wallnöfer
89522ea5b1 s4:auth/gensec/spnego.c - remove unused variable "principal" 2010-12-21 15:10:37 +11:00
Stefan Metzmacher
f126cb9eea s4:gensec/spnego: only look at the optimistic token if we support the first mech
As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.

If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
2010-12-14 16:50:49 +01:00
Jelmer Vernooij
35fbc7bbda s4-smbtorture: Make test names lowercase and dot-separated.
This is consistent with the test names used by selftest, should
make the names less confusing and easier to integrate with other tools.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
2010-12-11 04:16:13 +01:00
Andrew Bartlett
154b431093 s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec  9 08:50:28 CET 2010 on sn-devel-104
2010-12-09 08:50:27 +01:00
Andrew Tridgell
735c1cd2da s4-pkgconfig: add @LIB_RPATH@ to our link flags
this is only set when rpath is used on install. It ensures that
applications that link against Samba libraries get the rpath right

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec  8 12:46:00 CET 2010 on sn-devel-104
2010-12-08 12:46:00 +01:00
Andrew Bartlett
94f4929e04 s4-spnego use "not_defined_in_RFC4178@please_ignore" if no principal specified
We need to make this the default, but for now just send it if we have
not been given a target principal.

Andrew Bartlett
2010-12-08 08:55:04 +01:00
Andrew Bartlett
a21cb5a0a1 libcli/auth bring ADS_IGNORE_PRINCIPAL in common 2010-12-08 08:55:04 +01:00
Matthias Dieter Wallnöfer
f1db3c52de s4:auth/gensec/gensec_krb5.c - fix/reorder memory free operations
To prevent memory leaks
2010-12-04 16:40:25 +01:00
Matthias Dieter Wallnöfer
ee311beabe s4:auth/gensec/gensec_krb5.c - remove a pointless "nt_status" test
There is no operation which sets the "nt_status" before the "if".
2010-12-04 16:40:25 +01:00
Matthias Dieter Wallnöfer
3fb5ae600e s4:auth/kerberos/kerberos_pac.c - fix another memory leak regarding the KRB principal
In addition fix a counter type

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Dec  4 15:14:46 CET 2010 on sn-devel-104
2010-12-04 15:14:46 +01:00
Matthias Dieter Wallnöfer
f92055f298 s4:dsdb/common/util_samr.c and auth/sam.c - fix error message 2010-12-04 14:27:40 +01:00
Matthias Dieter Wallnöfer
e2a89d6ba7 s4:auth/sam.c - when printing out a string buffer we don't strictly need the width
The precision (maximum numbers of characters) should be enough.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec  3 10:26:39 CET 2010 on sn-devel-104
2010-12-03 10:26:39 +01:00
Matthias Dieter Wallnöfer
4ae9aec17c s4:auth/sam.c - the check for the SAMDB needs to be on the top of the call
Otherwise it's really useless.
2010-12-03 09:19:42 +01:00
Matthias Dieter Wallnöfer
5e1c9b562c s4:auth/sam.c - fix the free of memory contexts
"tmp_ctx" needs always to be freed ("res" is freed implicitly)
2010-12-03 09:18:23 +01:00
Matthias Dieter Wallnöfer
07e18e8f7c s4:auth/sam.c - specify the SID ignore case better
As per suggestion by metze.
2010-12-03 09:17:01 +01:00
Matthias Dieter Wallnöfer
7a5e47bf4e s4:auth/sam.c-"authsam_expand_nested_groups" - don't fail if we've memberships on non-SAM objects
This can be expected (think at a membership of a "groupOfNames" group) and we
shouldn't blame about it.

This fixes a bug reported on the technical mailing list.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec  2 17:17:56 CET 2010 on sn-devel-104
2010-12-02 17:17:55 +01:00
Jelmer Vernooij
8428311ce5 pygensec: Fix initialization.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Wed Dec  1 02:33:06 CET 2010 on sn-devel-104
2010-12-01 02:33:06 +01:00
Jelmer Vernooij
f43ffed781 pyauth: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Jelmer Vernooij
fce73d7eff pygensec: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Jelmer Vernooij
00251d9e56 pycredentials: Use talloc.Object. 2010-12-01 01:48:25 +01:00
Matthias Dieter Wallnöfer
bd4006fb9e s4:auth/gensec/gensec_tstream.c - quiet warnings on Solaris "cc" 2010-11-29 14:48:13 +01:00
Matthias Dieter Wallnöfer
7fb9087e64 s4:auth/ntlmssp/ntlmssp_server.c - remove unnecessary ";" 2010-11-29 14:48:12 +01:00
Matthias Dieter Wallnöfer
cc553eaf97 s4:auth/gensec/gensec_gssapi.c - always print error messages on the same talloc context 2010-11-29 11:33:04 +01:00
Kamen Mazdrashki
092e923e2b s4-tests/bind.py: Use samba.tests.connect_samdb() instead of directly using SamDB class
connect_samdb() functino will correctly handle things like:
- session_info param - it will create system_session() using supplied
  LoadParm parameter and thus avoiding creation of multiple LoadParm
  instances (LoadParm() will mask certain command line supplied options)
- host url will be prefixed with ldap:// automatically

Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Sun Nov 28 03:00:41 CET 2010 on sn-devel-104
2010-11-28 03:00:41 +01:00
Nadezhda Ivanova
f42802e22f s4-tests: Modified bind.py to use samba.tests.delete_force 2010-11-25 01:11:29 +02:00
Arnaud Faucher
2ac5cedb71 Avoid the use of PyAPI_DATA, which is for internal Python API's.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Nov 22 00:52:56 CET 2010 on sn-devel-104
2010-11-22 00:52:56 +01:00
Andrew Tridgell
5f655e99a1 s4-gensec: zero the gssapi_state
this fixes a use of the target_principal before initialisation

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-17 23:55:38 +11:00
Andrew Bartlett
2b7730d291 s4-gensec Indicate if GENSEC is in client or server mode in the debug 2010-11-15 23:17:05 +00:00
Jelmer Vernooij
e422c2a4a5 auth/ntlm: Use name consistent with other service names. 2010-11-15 03:14:23 +01:00
Andrew Bartlett
02d320394f auth/gensec Handle incorrect username or password in Kerberos client code
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 02:09:40 UTC 2010 on sn-devel-104
2010-11-15 02:09:39 +00:00
Andrew Tridgell
7cb0f95bf2 s4-auth: fixed infinite loop in krb5 auth
we were continually trying the first address returned, instead of
moving to the next address

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
2010-11-14 04:11:28 +00:00
Andrew Tridgell
6582d4739c s4-auth: fixed crash in krb5 auth
remote_addr was used after free
2010-11-14 13:53:29 +11:00
Andrew Tridgell
8e34df462c s4-test: we need to import testtools before subunit/python
subunit/python depends on testtools

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Nov 13 02:02:45 UTC 2010 on sn-devel-104
2010-11-13 02:02:45 +00:00
Anatoliy Atanasov
9cdb0b5cee s4/test: Expand BindTest
The test now binds with user@realm, domain\user, user dn, computer dn

Autobuild-User: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Autobuild-Date: Thu Nov 11 16:15:30 UTC 2010 on sn-devel-104
2010-11-11 16:15:30 +00:00
Andrew Bartlett
10c82d0619 s4-auth Supply more useful error messages on Kerberos failure
The practice of returning only NT_STATUS_INVALID_PARAMETER hasn't
helped our users to debug problems effectivly, and so we now return
more errors and try and give a more useful debug message when then
happen.

Andrew Bartlett
2010-11-08 18:15:23 +11:00
Brad Hards
cd4c3d6d7b s4-auth Fix typos in samba4 auth code 2010-11-08 18:15:23 +11:00
Jelmer Vernooij
4217734a51 credentials: Lowercase library name,
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Nov  7 01:48:44 UTC 2010 on sn-devel-104
2010-11-07 01:48:44 +00:00
Jelmer Vernooij
0878399bd5 samdb: Lowercase library name. 2010-11-07 01:52:13 +01:00
Andrew Bartlett
14f455ba99 s4-kerberos Mention the remote address we fail to contact the KDC on 2010-11-05 23:42:08 +11:00
Anatoliy Atanasov
211f6d5f55 s4/auth: Add logon_parameters to authenticate_username_pw
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.

Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov  5 06:32:43 UTC 2010 on sn-devel-104
2010-11-05 06:32:43 +00:00
Anatoliy Atanasov
d952f6c391 s4/test: Added test for simple bind with machine account
Samba4 returns error on simple bind, when we do it using openldap
simple_bind_s api.
2010-11-05 07:50:17 +02:00
Andrew Tridgell
003a36eb5e s4-auth: unconditionally set previous_ev
we need the caller to know when the previous_ev was NULL

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-04 20:35:43 +11:00
Philip M. White
cb9d048f90 s4:waf - fix the build on Gentoo platforms
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-11-03 08:22:54 +01:00
Andrew Tridgell
28c1e4d3eb s4-modules: get rid of the remaining static prototypes for modules
the waf build now generates the prototype declarations for us
2010-11-01 18:55:19 +11:00
Andrew Tridgell
97c0def79d s4-auth: added a dependency on com_err
this helps with the gentoo build. The problem is that without the
depenency, we don't add the cflags from the pkgconfig for com_err to
the build of auth/gensec. That really reflects a more general problem
with propogation of include dependencies, but this simple fix should
be enough for now.

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Oct 31 13:13:33 UTC 2010 on sn-devel-104
2010-10-31 13:13:33 +00:00
Jelmer Vernooij
3deece5591 s4: Remove the old perl/m4/make/mk-based build system.
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-31 02:01:44 +00:00
Andrew Tridgell
2ea41fdbe2 s4-cmdline: make cmdline-credentials a private library 2010-10-30 23:49:01 +11:00
Andrew Tridgell
045e3445a0 s4-auth: make KERBEROS subsystem into authkrb5 private library
this fixes some double linking. The name 'KERBEROS' was also a bit
confusing, as it sounded like a base kerberos library, when it is in
fact part of auth
2010-10-30 23:49:01 +11:00
Andrew Tridgell
7a26bb9f77 s4-credentials: make a private library from CREDENTIALS subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:49:01 +11:00
Andrew Bartlett
51dd83a50c auth/credentials Give a sensible behaviour for resetting the krb5 context
This extra code isn't used at the moment, but I noticed the old API
was rather supprising in it's behaviour, and might catch someone out
at some later time.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Oct 27 05:24:22 UTC 2010 on sn-devel-104
2010-10-27 05:24:22 +00:00
Jelmer Vernooij
a702c07e02 talloc: change pytalloc-util to be a public library. 2010-10-26 10:17:19 -07:00
Jelmer Vernooij
8cf61377aa waf: Remove lib prefix from libraries manually. 2010-10-26 10:17:17 -07:00
Jelmer Vernooij
d9cbcdd410 s4: Drop duplicate 'lib' prefix for private libraries. 2010-10-26 10:17:16 -07:00
Jelmer Vernooij
a57bd4e2d8 s4: Rename WBCLIENT to wbclient. 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
833480d3ad s4: Rename LIBSAMBA-* to libsamba-* 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
ca16d805bd s4: Rename LIBSECURITY{_SESSION,} to libsecurity{_session,} 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
2933fac7c7 s4: Rename NSS_WRAPPER to nss_wrapper.
Only link to nss_wrapper when it is enabled.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Oct 23 23:05:44 UTC 2010 on sn-devel-104
2010-10-23 23:05:43 +00:00
Jelmer Vernooij
9757a0c54c s4: Rename UID_WRAPPER to uid_wrapper.
Only link to uid_wrapper when it is enabled.
2010-10-23 22:24:06 +00:00
Jelmer Vernooij
cf26d8a958 s4: Rename LIBEVENTS to libevents. 2010-10-23 22:24:06 +00:00
Andrew Tridgell
3981399957 s4-waf: removed the XATTR and SASL aliases
these were hangovers from the old build system names

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-21 19:03:25 +11:00
Andrew Tridgell
e73739a338 s4-auth: make auth a private library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-21 19:03:24 +11:00
Andrew Bartlett
897583476c s4-auth Add DEBUG() for invalid DNs and errors expanding user groups.
Against the OpenLDAP backend, I currently get failures.  This makes it
possible to debug those failures.

Andrew Bartlett
2010-10-19 22:34:58 +11:00
Andrew Bartlett
73d6bb7447 s4-gensec Don't give more to sasl_encode() than it will permit
We need to ask the library how much data to pass in at any time.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 19 08:37:45 UTC 2010 on sn-devel-104
2010-10-19 08:37:45 +00:00
Andrew Bartlett
15a3077885 s4-gensec Don't upgrade all DIGEST-MD5 connections to seal
The issue here is that when props.max_ssf = UINT_MAX was always set,
as was the maxbufsize, and the connection would always be upgraded,
regardless of the callers wishes.

Andrew Bartlett
2010-10-19 18:57:06 +11:00
Matthias Dieter Wallnöfer
3ead246062 s4:"util_ldb" - remove some really unused dependancies 2010-10-18 19:35:11 +02:00
Andreas Schneider
d42ddd7b60 s4-gensec: Add dependency on com_err to GENSEC_KRB5. 2010-10-18 14:03:05 +02:00
Matthias Dieter Wallnöfer
a3f61dea40 Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c""
This reverts commit 8a2ce5c47c.

Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 13:37:16 +00:00
Matthias Dieter Wallnöfer
8a2ce5c47c s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c"
They're only in use by SAMDB code.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-17 09:40:13 +00:00
Matthias Dieter Wallnöfer
a0e9814c0d s4:dsdb - remove "samdb_result_uint", "samdb_result_int64", "samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-15 08:36:01 +11:00
Andrew Bartlett
5742f5115c libcli/security Use common security.h
This includes dom_sid.h and security_token.h and will be moved
to the top level shortly.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
2010-10-12 03:35:36 +00:00
Andrew Bartlett
911169451b s4-credentials Allocate ldb result on correct memory context 2010-10-12 02:54:16 +00:00
Andrew Bartlett
0487ef0a70 libcli/security Add debug class to security_token_debug() et al
This will allow it to replace functions in source3 that use debug classes.

Andrew Bartlett
2010-10-12 02:54:16 +00:00
Jelmer Vernooij
484939db0f samdb_common, ntlm: Add missing dependency on libsamba-hostconfig. 2010-10-11 15:13:16 +00:00
Andrew Bartlett
42127cdbb0 s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()

This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()

Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.

Andrew Bartlett
2010-10-11 13:02:16 +00:00
Andrew Bartlett
5cd9495fb3 s4-param Refactor secrets code to not require an event context.
A new event context is constructed by LDB when required for secrets.ldb
This will be essentially unused, as LDB on TDB will only trigger 'fake'
events, and blocks on transactions and lock operations anyway.

Andrew Bartlett
2010-10-11 13:02:15 +00:00
Andrew Bartlett
baeaa17986 s4-kerberos Remove unused parameter 2010-10-11 13:02:15 +00:00
Andrew Bartlett
1ef59ea9db s4-kerberos Remove unsued variable 2010-10-11 13:02:15 +00:00
Jelmer Vernooij
edc5ccc309 credentials: Avoid unnecessary includes.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 13:01:36 UTC 2010 on sn-devel-104
2010-10-11 13:01:35 +00:00
Jelmer Vernooij
d589430fa0 credentials: Fix the build.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 02:47:50 UTC 2010 on sn-devel-104
2010-10-11 02:47:50 +00:00
Jelmer Vernooij
d74e0adb30 credentials: Split up into several subsystems. 2010-10-11 02:06:03 +00:00
Jelmer Vernooij
c5ae099152 kerberos_util: Put into separate subsystem.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 00:34:56 UTC 2010 on sn-devel-104
2010-10-11 00:34:56 +00:00
Jelmer Vernooij
539d5f518d auth: Remove unnecessary dependencies, fix formatting. 2010-10-10 23:54:04 +00:00
Jelmer Vernooij
5cbbe94366 credentials: Move code that doesn't need any external dependencies into
credentials.c.
2010-10-10 23:54:04 +00:00
Jelmer Vernooij
8f6ca4859c gensec: Support building without any linked-in modules. 2010-10-10 23:37:34 +02:00
Jelmer Vernooij
93126b3315 samdb: Add flags argument to samdb_connect(). 2010-10-10 23:08:49 +02:00
Jelmer Vernooij
5548d3d41e Add missing dependencies for com_err. 2010-10-05 00:38:35 +02:00
Jelmer Vernooij
9eab95bd08 heimdal: Fix name of hx509 library. 2010-10-05 00:38:34 +02:00
Jelmer Vernooij
9b18d48d51 heimdal: Fix library name of gssapi. 2010-10-05 00:38:34 +02:00
Andrew Bartlett
0ea3877935 s4-gensec Always honour the set server principal
The spengo code won't set this unless it is allowed to by this
same option, but other callers may need it.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct  2 02:27:39 UTC 2010 on sn-devel-104
2010-10-02 02:27:39 +00:00
Andrew Bartlett
87698dc2a1 s4-kerberos Don't regenerate key values for each alias in keytab
Instead, store the same key value under the multiple alias names.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct  2 00:16:52 UTC 2010 on sn-devel-104
2010-10-02 00:16:52 +00:00
Andrew Bartlett
a82e3abc70 s4-auth Add make_server_info_pac() to include 'resource domain' groups
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.

Andrew Bartlett
2010-10-02 09:11:37 +10:00
Andrew Bartlett
6488d5bc0b s4-auth Allocate domain SIDs under the sids array, not server_info
Andrew Bartlett
2010-10-02 09:11:37 +10:00
Andrew Tridgell
0adc1645e2 s4-auth: fixed a vagrind error when creating keytabs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01 13:08:23 -07:00
Andrew Tridgell
44c891a35a s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29 09:49:16 -07:00
Andrew Tridgell
dacfe67a0e s4-sam: fixed termination of krbtgt_attrs (comma and NULL)
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28 19:25:51 -07:00
Andrew Bartlett
85f7bce865 s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNO
Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Tridgell
c972790249 s4-auth: removed unused variable dom_sid 2010-09-27 22:55:04 -07:00
Stefan Metzmacher
491102c1ce s4:gensec_tstream: remove plain socket handling
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Sep 28 04:54:24 UTC 2010 on sn-devel-104
2010-09-28 04:54:24 +00:00
Stefan Metzmacher
381f0fcd19 s4:gensec: add gensec_create_tstream()
Based on the initial patch from Andreas Schneider <asn@redhat.com>.

metze
2010-09-28 03:48:11 +02:00
Andrew Tridgell
06274bd870 s4-gensec: fixed a valgrind error in gensec
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-26 21:12:09 -07:00
Stefan Metzmacher
80f8419ef2 s4:schannel: handle move flag combinations in the server
This fixes some testsuites in the CIFS plugfest.

metze
2010-09-26 09:40:36 +02:00
Andrew Tridgell
7dbfeb0dc0 s4-auth: fixed the SID list for DCs in the PAC
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-09-26 07:09:08 +00:00
Andrew Bartlett
0b5a556b76 s4-kerberos Don't segfault if the password isn't specified in keytab generation
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Sep 26 03:29:34 UTC 2010 on sn-devel-104
2010-09-26 03:29:34 +00:00
Andrew Tridgell
781796c557 s4-pycredentials: avoid a tallloc_free on ref
with the new py object structure, we need to unlink not free
2010-09-25 10:38:44 -07:00
Andrew Bartlett
c9b19d9b69 s4-kerberos Rework keytab handling to export servicePrincipalName entries
This creates keytab entries with all the servicePrincipalNames listed
in the secrets.ldb entry.

Andrew Bartlett
2010-09-24 15:07:56 +10:00
Andrew Bartlett
f03913e2cc s4-kerberos Move 'set key into keytab' code out of credentials.
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.

Andrew Bartlett
2010-09-24 09:25:44 +10:00
Andrew Bartlett
f9698cfc97 s4-kerberos Fix kerberos_enctype_bitmap_to_enctypes()
The previous code never worked

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-09-24 09:25:43 +10:00
Andrew Tridgell
7a05e04dfc s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiation
this is the client side equivalent change for the previous fix

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23 07:17:57 +00:00
Andrew Tridgell
bf1f2d4eb8 s4-gensec: prevent a double free in the error path of GSSAPI auth
the caller frees mem_ctx, so we shouldn't

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23 07:17:57 +00:00
Andrew Tridgell
202525db13 s4-gensec: fixed a GSSAPI SASL negotiation bug
Fixed a bug that affected mismatched negotiation between the GSSAPI
layer and the SASL SSF subsequent negotiation. This caused some ldap
clients to hang when trying to authentication with a Samba LDAP
server. The client thought the connection should be signed, the server
thought it should be in plain text

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23 07:17:57 +00:00
Jelmer Vernooij
7378b6d2a2 s4-selftest: Move credentials tests to standard python directory. 2010-09-22 22:29:09 -07:00
Jelmer Vernooij
1c3c9a483b s4-param: Fix more memory leaks, invalid memory context. 2010-09-22 17:48:24 -07:00
Jelmer Vernooij
3fea9df85a s4-param: Check type when converting python object to lp_ctx, fix some
memory leaks.
2010-09-22 17:48:23 -07:00
Jelmer Vernooij
63031a2a78 pygensec: Implement start_mech_by_name(). 2010-09-22 17:48:23 -07:00
Jelmer Vernooij
e12e661f35 s4-selftest: Move more tests to scripting/python, simplifies running of tests. 2010-09-21 22:54:38 -07:00
Andrew Bartlett
6832d5e933 libcli/auth/ntlmssp Be clear about talloc parents for session keys
The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-16 21:09:17 +10:00
Andrew Tridgell
89827af525 s4-kerberos: obey the credentials setting for forwardable tickets
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
efb37a5b8c s4-pycredentials: expose forwardable setting via python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
6a82997285 s4-credentials: added ability to control forwardable attribute on krb5 tickets
with the latest bind9 nsupdate, we need to be able to control if the
ticket we use is forwardable

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 16:08:46 +10:00
Andrew Tridgell
5b02cf1eb0 s4-auth: allow multiple active auth backends
when we are an RODC we need to be able to allow multiple auth backends
to process a single auth request. First the sam backend will try to
authenticate, using locally stored passwords. If this backend can't
find local passwords then it will try the winbind backend and
authenticate via a writeable DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Andrew Tridgell
13a8745cae s4-rodc: add a trigger message for REPL_SECRET to auth_sam
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Volker Lendecke
ba726b5580 s4: Fix two typos 2010-09-14 22:26:17 -07:00
Andrew Bartlett
e13ed6fc78 s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a header 2010-09-11 22:32:43 +10:00
Andrew Tridgell
837230f85e s4-credentials: get all attributes in cli_credentials_set_secrets()
This ensures we get whenChanged, which is needed by the s3 winbind
code to ensure we don't repeatedly try to change the password
2010-09-11 22:32:43 +10:00
Stefan Metzmacher
8202cf7966 s4:auth_winbind: use irpc_binding_handle_by_name()
metze
2010-09-03 17:01:56 +02:00
Stefan Metzmacher
705f4c2056 s4:auth_winbind: remove unused winbind_samba3 backend
This uses the winbind protocol directly, which needs to be avoided!

metze
2010-09-03 17:00:16 +02:00
Stefan Metzmacher
0f35d51ab6 s4:auth_winbind: fix segfault in winbind_check_password_wbclient()
We should only look at err if WBC_ERR_AUTH_ERROR is returned.

metze
2010-09-03 16:53:35 +02:00
Stefan Metzmacher
5b0e0acc81 s4:auth_winbind: fix compiler warnings
metze
2010-09-03 13:40:00 +02:00
Andrew Tridgell
cecc58e058 s4-auth: make the disabled acct messages a bit less verbose
raise the debug level

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-02 13:37:08 +10:00
Matthias Dieter Wallnöfer
e4afcd62bc s4:credentials_krb5.c - quiet a Solaris warning 2010-08-27 19:11:44 +02:00
Matthias Dieter Wallnöfer
53a3234703 s4:ntlm/auth.c - add a whitespace in a debug output 2010-08-26 21:06:07 +02:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
2010-08-23 08:50:55 +10:00
Andrew Bartlett
23dc2e4244 s4:auth Change {anonymous,system}_session to use common session_info generation
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.

Andrew Bartlett
2010-08-18 09:50:45 +10:00
Andrew Bartlett
2ceb3d8d35 s4:auth Avoid doing database lookups for NT AUTHORITY users 2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9 s4:auth Remove system_session_anon() from python bindings 2010-08-18 09:50:44 +10:00
Andrew Bartlett
a68a5592c5 s4:auth Remove the system:anonymous parameter used for the LDAP backend
This isn't needed any more, and just introduces complexity.
2010-08-18 09:50:44 +10:00
Andrew Bartlett
d99ff145ae s4:auth Remove special case constructor for admin_session()
There isn't a good reason why this code is duplicated.

Andrew Bartlett
2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00
Andrew Bartlett
75adca63f2 libcli/auth Make the source3/ implementation of the NTLMSSP server common
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 16:22:04 +02:00
Andrew Bartlett
1e83b36afb libcli/auth Move some source3/ NTLMSSP functions to the common code.
libcli/auth Use true and false rather than True and False in common code

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 11:56:33 +02:00
Andrew Tridgell
56db40d5fd s4-build: use @PACKAGE_VERSION@ in s4 pc.in files
this gets replaced by vnum from the build rule
2010-08-09 12:27:23 +10:00
Andrew Bartlett
4b47245a9d s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layer
This changes the talloc treatment of the session keys to avoid
memory duplication - the session key has always been allocated
onto the ntlmssp_context by the auth subsystem callback.

The remainder of the changes are cosmetics, such as avoiding
using lm_session_key as a pointer (and avoiding then doing an
if statement on something that is always true).

Andrew Bartlett
2010-08-07 18:56:35 +10:00
Andrew Bartlett
6644f48d72 s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/
By re-adding this wrapper, the actual guts of these functions are now very
similar to that found in source3/libsmb/ntlmssp.c

This should make it easier to merge the implementations.

Andrew Bartlett
2010-08-07 18:39:48 +10:00
Andrew Bartlett
1979486c8e s4:ntlmssp Always setup the session keys and signing state
While it would save some CPU to only setup the session key when
requested (like windows does), this instead matches the
implementation in source3/libsmb/ntlmssp.c

We could re-add this later after the codebase is merged.

Andrew Bartlett
2010-08-07 18:39:47 +10:00
Andrew Bartlett
a2607a62f3 s4:ntlmssp Adjust Samba4 ntlmssp code to look more like the code in Samba3.
This does not change behaviour, and some of the whitespace isn't ideal, but
at the moment making this code more similar, even in cosmetics, will assist
later merge efforts.

Andrew Bartlett
2010-08-06 16:14:11 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Nadezhda Ivanova
ee56f74cae Fixed system_session_anon to actually make an anonymous session
It seems that because the flag is false, this always used the supplied credentials
rhather than establish anonymous connection.
2010-07-14 10:30:40 +03:00
Matthias Dieter Wallnöfer
bf844aed5b s4:auth/session.c - suppress a warning when freeing "group_string" 2010-06-30 09:38:12 +02:00
Anatoliy Atanasov
2821abee1f s4:auth/session.c - free "group_string" when not needed
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-30 09:17:06 +02:00
Matthias Dieter Wallnöfer
2198831e6b Revert "s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN."
This reverts commit fa9557fee3.

See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29 15:14:01 +02:00
Andrew Bartlett
f41e711097 s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDC
The KDC needs this to determine what encryption types an entry supports

Andrew Bartlett
2010-06-29 16:59:30 +10:00
Andrew Bartlett
5167b97ff2 s4:kerberos Add functions to convert msDS-SupportedEncryptionTypes
This will allow us to interpret this attibute broadly in Samba.

Andrew Bartlett
2010-06-29 16:59:30 +10:00
Andrew Bartlett
94637e5fe4 s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.

(The KDC reads this entry to determine what the server supports)

Andrew Bartlett
2010-06-29 16:59:22 +10:00
Matthias Dieter Wallnöfer
b6eb17eb1e s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvement
We can save one search operation if "only_childs" is false and when we had no
SID passed as extended DN component.
2010-06-28 20:31:37 +02:00
Matthias Dieter Wallnöfer
a782eaa2fd s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/comments 2010-06-28 20:31:37 +02:00
Matthias Dieter Wallnöfer
03ffed73db s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where possible
And always catch LDB errors
2010-06-28 20:31:37 +02:00
Endi S. Dewata
fa9557fee3 s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-28 19:33:44 +02:00
Matthias Dieter Wallnöfer
0f45536279 s4:auth/gensec/gensec_gssapi.c - reorder constructor
To have the same order as in the structure definition.
2010-06-24 15:13:40 +02:00
Andrew Tridgell
4cb423f527 s4-python: python is not always in /usr/bin
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24 18:46:57 +10:00
Wilco Baan Hofman
3895b8fbf8 Revert "Add old functionality back which was removed in commit 589a42e2."
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f.

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 17:19:12 +02:00
Wilco Baan Hofman
626db5c3b5 Add old functionality back which was removed in commit 589a42e2.
Andrew, please review!

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 17:19:10 +02:00
Jelmer Vernooij
c92db7b6dc python: Use samba.tests.TestCase, make sure base class tearDown and
setUp methods are called, fix formatting.
2010-06-19 22:46:45 +02:00
Jelmer Vernooij
e27ef3dd6d ldb: Only build standard ldb modules when building bundled ldb. 2010-06-15 13:15:50 +02:00
Jelmer Vernooij
51058213cb s4-test: Use smb.conf path set in environment rather than using
command-line options.

This is the first step towards supporting custom test runners.
2010-06-13 18:19:03 +02:00
Andrew Bartlett
fdc6db34ca s4:ntlmssp Use common code for ntlmssp_sign.c
The common code does not have a mem_ctx on ntlmssp_check_packet() and
ntlmssp_unseal_packet().

We do however need some internal working of the code exposed, so some
structures are moved to ntlmssp_sign.h

Andrew Bartlett
2010-06-01 17:11:24 +10:00
Andrew Bartlett
38a26f1073 s4:ntlmssp Use the new common ntlmssp.h 2010-06-01 17:11:24 +10:00
Andrew Bartlett
bc8d12e593 s4:ntlmssp Merge ntlmssp structures with version from source3/
Use this as an excuse to get rid of ntlmssp_set_domain() etc, which
don't do anything useful now that msrpc_parse() use talloc anyway.

Andrew Bartlett
2010-06-01 17:11:24 +10:00
Jelmer Vernooij
82d56b9374 ldb: Fix dependencies when building with system ldb. 2010-05-31 19:22:03 +02:00
Matthias Dieter Wallnöfer
9bfd2c8ebc s4:auth/credentials/credentials.c - initialise "password_last_changed_time"
Otherwise it could remain uninitialised.
2010-05-30 11:12:24 +02:00
Jeremy Allison
2a91b00b92 Add in support for the NTLMSSP version reply.
Jeremy.
2010-05-24 11:03:42 -07:00
Andrew Bartlett
82c97e0ab8 s4:auth Remove un-needed headers. 2010-05-21 16:38:44 +10:00
Andrew Bartlett
9453a0f88f s4:auth Fix previous commit - segfault in determinging a user's groups
The previous commit didn't include these vital fixes.

Andrew Bartlett
2010-05-21 16:01:34 +10:00
Andrew Bartlett
91807d9dd5 s4:auth Error out when a memberOf DN does not have a SID
We previously segfaulted if this was not the case.

Andrew Bartlett
2010-05-21 15:04:19 +10:00
Andrew Bartlett
a0b0dc16a6 s4:auth handle addition of nested aliases of domain groups.
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add.  So, we can't short-circuit the operation just because we found
the domain group.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
9c6b637ce8 s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.

In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.

This also takes more care to allocate the right length ptoken->sids

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
3ff2766231 s4:auth Push check for messaging context into winbind backend
If we don't use the winbind backend, we don't (for now) need a
messaging context- and we don't have one in LDB at the moment.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
feb9ffdac8 s4:auth Add dependency from the operational module onto auth
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
72ccbcacdd s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
5f9024c8a4 s4:auth Move BUILTIN group addition into session.c
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.

Andrew Bartlett
2010-05-20 17:39:09 +10:00
Jelmer Vernooij
b8268cf7b0 s3: Remove use of iconv_convenience. 2010-05-18 11:45:31 +02:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Andrew Bartlett
b183a30b2b s4:credentials Add in tracking of the password last set time
We perhaps need a more general API here, but for now extend the
credentials API to return the password last changed time that the
s3compat layer will need.

Andrew Bartlett
2010-05-18 13:20:22 +10:00
Andrew Bartlett
00b985def8 s4:auth Make it clear to the callers the talloc lifetime.
In other times, we might have used talloc_reference here, but this
isn't used as much these days.

Andrew Bartlett
2010-05-18 13:20:07 +10:00
Andrew Bartlett
b5dc394962 s4:gensec expose gensec_set_target_principal for use outside GENSEC
This allows for the rare case where the caller knows the target
principal.  The check for lp_client_use_spnego_principal() is moved to
the spengo code to make this work.

Andrew Bartlett
2010-05-14 23:25:45 +10:00
Andrew Bartlett
bb2f7e3aee s4:credentials Allow setting of an empty Kerberos CCACHE
This allows us to tell the credentials code where we want the
credentials put.

Andrew Bartlett
2010-05-14 23:25:45 +10:00
Andrew Bartlett
44e7ea6927 s4:credentials Make the CCACHE in credentials depend on the things that built it
This means that we consider the ccache only as reliable as the least
specified of the inputs we used.

This means that we will regenerate the ccache if any of the inputs change.

Andrew Bartlett
2010-05-02 06:54:23 +10:00
Andrew Bartlett
1ae9044b8e s4:gensec Use a different form of 'name' in GSSAPI import_name()
The idea here is to make it not dependent on the system's default
realm.

Andrew Bartlett
2010-04-27 16:41:51 +10:00
Andrew Bartlett
8c61477153 s4:kerberos Give a better error message than "Could not allocate memory"
Andrew Bartlett
2010-04-27 16:41:51 +10:00
Andrew Tridgell
f1c523939b pytalloc: ensure talloc_ctx is directly after PyObject_HEAD
the talloc python interface for tp_alloc and tp_dealloc relies on a
cast to a py_talloc_Object to find the talloc_ctx (see
py_talloc_dealloc). This means we rely on the talloc_ctx for the
object being directly after the PyObject_HEAD

This fixes the talloc free with references bug in samba_dnsupdate

The actual problem was the tp_alloc() call in
PyCredentialCacheContainer_from_ccache_container() which used a cast
from a py_talloc_Object to a PyCredentialCacheContainerObject. That
case effectively changed the parent/child relationship between the
talloc_ctx and the ccc ptr.

This patch changes all the structures that follow this pattern to put
the TALLOC_CTX directly after the PyObject_HEAD, to ensure that if
anyone else decides to do a dangerous cast like this that it won't
cause the same sort of subtle breakage.

Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-20 15:50:27 +10:00
Andrew Tridgell
e6cbbd9640 s4-python: PyErr_SetString() will crash on NULL strings
use nt_errstr() when no error available
2010-04-19 16:34:14 +10:00
Andrew Bartlett
589a42e2da s4:auth Change auth_generate_session_info to take an auth context
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.

However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.

In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'.  This allows us to
use the auth_context in processing the authentication reply .

Andrew Bartlett
2010-04-14 10:30:51 +10:00
Andrew Bartlett
4e2384e242 s4:auth Allow the simple 'struct auth_session_info' generator for all users
This code isn't ideal, but it is better than needing to consult the
main SamDB in things like a torture test.

Andrew Bartlett
2010-04-14 10:28:35 +10:00
Matthias Dieter Wallnöfer
1bd4735d87 s4:auth/auth_sam_reply.c - fix counter types 2010-04-12 18:49:01 +02:00
Stefan Metzmacher
2a727ef6e7 lib/replace/wscript: inline LIBREPLACE_EXT into 'replace' as the autoconf system does
metze
2010-04-12 12:31:14 +02:00
Andrew Bartlett
2c193fe91a s4:auth Remove event context from anonymous_session()
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.

Andrew Bartlett
2010-04-11 13:36:04 +10:00
Andrew Bartlett
aecaddfa1b s4:credentials Add the functions needed to do S4U2Self with cli_credentials
A torture test to demonstrate will be added soon.

Andrew Bartlett
2010-04-10 21:40:58 +10:00
Andrew Bartlett
18f0e24f55 s4:credentials talloc_free() any previous salt_principal
This isn't used often, but it is generally better not to leak it onto
what may be a longer-term context.

Andrew Bartlett
2010-04-10 21:40:58 +10:00
Jelmer Vernooij
814e20e7da pynet: Create a net class. 2010-04-08 23:22:55 +02:00
Matthias Dieter Wallnöfer
b7b464eeee s4:auth/ntlm/auth_developer.c - "fixed_challenge_get_challenge" - fix the assignment of the challenge
This is a string buffer and not a DATA_BLOB.
2010-04-06 14:54:10 +02:00