samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-02-14 01:57:53 +03:00

Author	SHA1	Message	Date
Stefan Metzmacher	541d687347	auth: let auth4_context->check_ntlm_password() return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:10 +01:00
Stefan Metzmacher	4af89d534d	auth4: let auth_check_password* return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:09 +01:00
Stefan Metzmacher	2b685ffe04	auth4: add auth_context_create_for_netlogon() For now it's the same as auth_context_create(), but this will change the in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:09 +01:00
Stefan Metzmacher	c173b4e3ef	auth4: make auth_check_password_wrapper() static BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:09 +01:00
Stefan Metzmacher	03b5585709	auth4: add TODO comment on the auth_sam_trigger_repl_secret msDS-NeverRevealGroup interaction Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:08 +01:00
Andreas Schneider	2dd4887648	s4:gensec_gssapi: Correctly handle external trusts with MIT BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2017-03-10 11:37:22 +01:00
Andreas Schneider	3781eb2501	s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname() With credentials for administrator@FOREST1.EXAMPLE.COM this patch changes the target_principal for the ldap service of host dc2.forest2.example.com from ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM to ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. The problem is that KDCs only return such referral tickets if there's a forest trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If there's only an external domain trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. In the case of an external trust the client can still ask explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of FOREST1.EXAMPLE.COM will generate it. From there the client can use the krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC of FOREST2.EXAMPLE.COM for a service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as target principal. As _krb5_get_cred_kdc_any() first calls get_cred_kdc_referral() (which always starts with the client realm) and falls back to get_cred_kdc_capath() (which starts with the given realm). MIT krb5 only tries the given realm of the target principal, if we want to autodetect support for transitive forest trusts, we'll have to do the fallback ourself. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2017-03-10 11:37:22 +01:00
Andreas Schneider	bf6358bf03	s4:gensec_gssapi: Move setup of service_principal to update function BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2017-03-10 11:37:21 +01:00
Andreas Schneider	8f7c452942	s4:gensec-gssapi: Create a helper function to setup server_principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2017-03-10 11:37:21 +01:00
Lumir Balhar	64bc64ce64	python: samba.gensec: Port module to Python 3 compatible form Port samba.gensec and samba.tests.gensec modules to Python 3 compatible form, enable execution of tests with Python 3 and remove unused import of samba.gensec from samba.tests module __init__.py file. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2017-03-10 07:31:12 +01:00
Lumir Balhar	0672fc145a	python: samba.gensec: Fix error handling in set_credentials() function Add `return NULL;` to error handling part of `set_credentials()` function. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2017-03-10 07:31:12 +01:00
Lumir Balhar	1ac5bf21a1	python: samba.auth: Port samba.auth to Python 3 compatible form Port samba.auth Python module to Python 3 compatible form and enable tests execution with Python 3. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2017-03-10 07:31:11 +01:00
Volker Lendecke	7d3c197e61	auth_winbind4: Correctly handle !authoritative Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-10 03:28:26 +01:00
Volker Lendecke	3078b9fd9a	auth4: Remove an unused struct declaration Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-03-06 19:19:18 +01:00
Volker Lendecke	2104f45314	auth4: Move a variable closer to its use Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-03-06 19:19:18 +01:00
Volker Lendecke	65e4e8160a	auth4: Reduce indentation level by an early error return Just cosmetics for easier readability, no code change Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-02-28 10:01:14 +01:00
Volker Lendecke	6d4acc8cd6	auth4: Only use CrackNames if we're a DC DsCrackNameOneName on a member does not really have a big user database. We should delegate as much responsibility as possible to our DC. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-02-28 10:01:14 +01:00
Volker Lendecke	5a6f3fcf81	auth4: Fix map_user_info_cracknames for domain==NULL DsCrackNameOneName directly fails for DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT if the name passed in does not contain a \. The only caller of map_user_info_cracknames (auth_check_password_send) passes in lpcfg_workgroup(), which does not contain a \. Add in the \ also for the default_domain case. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-02-28 10:01:13 +01:00
Chris Lamb	1134f4f177	Correct "cleint" typos. Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2017-02-22 08:26:23 +01:00
Chris Lamb	db3dd6fb5f	Correct "specifiy" typos. Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2017-02-22 08:26:23 +01:00
Andreas Schneider	e467eefb10	gensec: Cast data for MIT Kerberos correctly In Heimdal the data pointer is a void pointer so casting to 'char *' is not an issue. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-01-12 15:35:12 +01:00
Andreas Schneider	9b263c5778	gensec: Fix picky developer with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-01-12 15:35:12 +01:00
Stefan Metzmacher	4b295b106c	wscript: remove executable bits for all wscript* files These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144	2017-01-11 20:21:01 +01:00
Stefan Metzmacher	3a870baee8	s4:gensec_gssapi: require a realm in gensec_gssapi_client_start() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Stefan Metzmacher	48bcca566e	s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname() If gensec_get_target_principal() has a value, we no longer have to verify the gensec_get_target_hostname() value, it can be just an ipadress. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Stefan Metzmacher	ea0c35fbd1	s4:auth/gensec: remove unused dependencies to gensec_util gensec_util only contains gensec_tstream and is already a public_dep of 'gensec' itself. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-01-10 13:54:17 +01:00
Volker Lendecke	efb5f38f1f	auth4: Use "all_zero" where appropriate ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>	2017-01-03 16:04:29 +01:00
Andreas Schneider	fd98174443	auth/gensec: Fix typo in log message Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
David Mulder	99d8788028	auth/gensec: Remove unneeded cli_credentials_set_conf() call The cli_credentials_set_client_gss_creds() will set the correct realm from the gss creds. Pair-Programmed-With: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: David Mulder <dmulder@suse.com> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
Stefan Metzmacher	6459543b5a	CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>	2016-12-20 07:51:14 +01:00
Garming Sam	683fcad3ca	doc: Add doxygen for functions in srv_keytab.c Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882	2016-11-22 02:10:16 +01:00
Garming Sam	b02da11498	s4-auth: Don't check for NULL saltPrincipal if it doesn't need it This check causes 4.1 domains to be unable to change their DNS backend correctly as they do not have the saltPrincipal value stored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-11-22 02:10:16 +01:00
Stefan Metzmacher	558e78c7e3	s4:gensec_gssapi: We need to use the users realm in the target_principal This is important in order to let the kdc of the users realm start with the trust referral routing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-11-15 11:00:26 +01:00
Stefan Metzmacher	f0afefefe4	s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size() We need to calculate the signature length based on the negotiated flags. This is most important on the server side where, gss_accept_sec_context() doesn't get gss_want_flags, but fills gss_got_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Stefan Metzmacher	cca980eb51	s4:gensec_krb5: also report support for GENSEC_FEATURE_SIGN as krb5_mk_priv() provides sign and seal Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Andreas Schneider	28eae08ef7	gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144	2016-09-29 11:56:41 +02:00
Andreas Schneider	64b2b0dacd	gensec_krb5: Create a MIT Kerberos gensec_krb5_session_info() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>	2016-09-29 08:02:18 +02:00
Volker Lendecke	0a42a4c14b	wbclient: "ev" is no longer used in wbc_sids_to_xids Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-09-28 00:04:36 +02:00
Andreas Schneider	4a8b588dc0	gensec_krb5: Do not leak memory of target_principal CID 1372504 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 9 04:20:04 CEST 2016 on sn-devel-144	2016-09-09 04:20:04 +02:00
Andreas Schneider	2ac297562f	krb5_wrap: Rename kerberos_kinit_s4u2_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	696cfcb3c0	krb5_wrap: Rename kerberos_kinit_password_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	15c5dd700c	krb5_wrap: Rename kerberos_kinit_keyblock_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	1877950250	krb5_wrap: Rename get_krb5_smb_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:14 +02:00
Andreas Schneider	e8632e2af5	krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	81917a1162	krb5_wrap: Rename setup_kaddr() Use a better and consistent name and switch the arguments to reflect the name. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	faa3bef690	gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144	2016-08-30 15:24:02 +02:00
Andreas Schneider	7f9a075d9c	gensec_krb5: Use implementation idependent krb5_mk_req_extended() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	739a7adaef	gensec_krb5: Use kerberos_free_data_contents() to free krb5 data Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	8268501972	gensec_krb5: Only set the event context with Heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	7ea7b60649	gensec_krb5: Use krb5_wrap setup_kaddr() to convert address Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00

1 2 3 4 5 ...

1848 Commits