sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
70,155 Commits 60 Branches 1,145 Tags 452 MiB
5e4b327c4f
Commit Graph

172 Commits

Author SHA1 Message Date
Stefan Metzmacher
e9dddc55e3 s3:libsmb: use 16 zero bytes as channel binding checksum in the gssapi checksum (bug #7883) 
This fixes SMB session setups with kerberos against some closed
source SMB servers.

The new behavior matches heimdal and mit.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
 2010-12-23 09:38:43 +01:00
Volker Lendecke
2d8b65066e s3: Remove two talloc_autofree_context() calls 
Both allocated blobs are freed in their routines
 2010-09-26 03:29:28 +02:00
Andrew Bartlett
3b4db34011 s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs 
The idea of this patch is: Don't support a mix of different kerberos
features.

Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).

Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.

Andrew Bartlett
 2010-09-11 18:46:13 +10:00
Günther Deschner
85b8d7c605 s3-kerberos: try to fix the build w/o kerberos support. 
Guenther
 2010-08-30 16:03:17 +02:00
Andrew Bartlett
71d80e6be0 s3-krb5 Only build ADS support if arcfour-hmac-md5 is available 
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <idra@samba.org>
 2010-08-13 09:08:27 -04:00
Günther Deschner
257a1f1097 s3-krb5: include krb5pac.h where needed. 
Guenther
 2010-08-06 15:43:37 +02:00
Jeremy Allison
5912206606 Fix bug 7583 - Smbclient fails to kerberos connect to a Alfresco JLAN CIFS Server 
Correctly calculate the gssapi channel binding checkum.

Jeremy

Signed off by: simo <idra@samba.org>
 2010-07-23 10:54:46 -07:00
Simo Sorce
26f1218a36 s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys 2010-07-20 20:02:09 -04:00
Simo Sorce
8137f2d7e7 misc: cleanup get_krb5_smb_session_key() 2010-07-20 20:02:06 -04:00
Simo Sorce
e8460b4ebc misc: cleanup cli_krb5_get_ticket() 2010-07-20 20:01:58 -04:00
Björn Jacke
a973eb1968 s3: fix build on Heimdal based systems like NetBSD5 2010-06-05 02:15:29 +02:00
Günther Deschner
614e010daa s3: remove authdata.h 
Guenther
 2010-06-03 11:00:27 +02:00
Günther Deschner
da79cbb080 s3-kerberos: add a missing reference to authdata headers. 
Guenther
 2009-11-27 18:52:32 +01:00
Günther Deschner
04f8c229de s3-kerberos: only use krb5 headers where required. 
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
 2009-11-27 16:36:00 +01:00
Günther Deschner
1a8f838274 s3-kerberos: Fix Bug #6929: build with recent heimdal. 
Heimdal changed the KRB5_DEPRECATED define (which now may not take an identifier
for activation) in new releases (like 1.3.1).

Guenther
 2009-11-27 01:40:35 +01:00
Günther Deschner
0f8bf47d94 s3-kerberos: avoid using ERROR_TABLE_BASE_krb5 without checking. 
Guenther
 2009-11-12 15:50:37 +01:00
Günther Deschner
b4e40958b7 s3-kerberos: add smb_krb5_principal_get_realm(). 
Guenther
 2009-11-12 10:22:39 +01:00
Günther Deschner
440db5a94e Revert "s3-kerberos: add smb_krb5_parse_name_flags()." 
This reverts commit 17ef153b68.
 2009-11-06 13:48:23 +01:00
Günther Deschner
9e48dc2b78 s3-kerberos: support S4U2SELF impersionation through cli_krb5_get_ticket(). 
Guenther
 2009-11-06 13:35:20 +01:00
Günther Deschner
bb01aae1b9 s3-kerberos: use smb_krb5_get_credentials in ads_krb5_mk_req. 
Guenther
 2009-11-06 13:34:04 +01:00
Günther Deschner
60bf0eb607 s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg. 
Guenther
 2009-11-06 13:31:17 +01:00
Günther Deschner
35dcc133c9 s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation. 
Guenther
 2009-11-06 12:43:03 +01:00
Günther Deschner
17ef153b68 s3-kerberos: add smb_krb5_parse_name_flags(). 
Guenther
 2009-11-06 12:43:03 +01:00
Andrew Tridgell
a6e4cb500b s3: fixed krb5 build problem on ubuntu karmic 
Karmic has MIT krb5 1.7-beta3, which has the symbol
krb5_auth_con_set_req_cksumtype but no prototype for it.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531635
 2009-10-16 10:40:50 +11:00
Jeremy Allison
5f295eb6f5 More conversions of NULL -> talloc_autofree_context() 
so we at least know when we're using a long-lived context.
Jeremy.
 2009-07-16 18:28:58 -07:00
Jelmer Vernooij
b65ba0e26c clikrb5: Prefer krb5_free_keytab_entry_contents to krb5_kt_free_entry. 
Both functions exist in MIT Kerberos >= 1.7, but only
krb5_free_keytab_entry_contents has a prototype.
 2009-06-04 23:43:31 +02:00
Andrew Bartlett
574a6a8c35 s3:kerberos Rework smb_krb5_unparse_name() to take a talloc context 
Signed-off-by: Günther Deschner <gd@samba.org>
 2009-04-07 13:25:36 +02:00
Günther Deschner
1524abd8bf s3-krb5: Fix Coverity #722 (RESOURCE_LEAK). 
Guenther
 2009-03-20 10:41:44 +01:00
Jeremy Allison
0281166bb9 Don't miss an absolute pathname as a kerberos keytab path. From Glenn Machin <gmachin@sandia.gov>. 
Jeremy.
 2009-02-17 15:54:33 -08:00
todd stecher
989ad44d32 Memory leaks and other fixes found by Coverity 2009-01-21 17:13:03 -08:00
Günther Deschner
c0cf457c85 s3-asn1: make all of s3 asn1 code do a proper asn1_init() first. 
Guenther
 2008-10-22 21:37:36 +02:00
Günther Deschner
d9f1fff5b3 s3: use shared asn1 code. 
Guenther
 2008-10-22 21:37:36 +02:00
Jelmer Vernooij
cb78d4593b Cope with changed signature of http_timestring(). 2008-10-11 23:57:44 +02:00
Jeremy Allison
3978317af0 Fix blocker bug 5745 kerberos authentication with (lib)smbclient is broken. 
Jeremy.
(This used to be commit a59bd0e485)
 2008-09-10 10:18:02 -07:00
Volker Lendecke
06dd647fe0 Remove a duplicate retval check 
Jeremy, please check!
(This used to be commit 6579005e64)
 2008-08-31 11:45:12 +02:00
Günther Deschner
bff20e14c3 kerberos: use KRB5_KT_KEY macro where appropriate. 
Guenther
(This used to be commit a042dffd71)
 2008-08-29 11:01:34 +02:00
Günther Deschner
0380fe9d82 kerberos: move the KRB5_KEY* macros to header file. 
Guenther
(This used to be commit c28fa17fff)
 2008-08-29 10:59:28 +02:00
Igor Mammedov
2597c97d3a Fix length error in wrapping spnego blob 
(This used to be commit 16ee95494b)
 2008-08-18 09:55:11 -07:00
Günther Deschner
c7257754cd fix build warning. 
Guenther
(This used to be commit 85021d6a45)
 2008-08-11 15:43:52 +02:00
Jeremy Allison
3acde0d747 One more build fix. Ensure we have KRB5_AUTH_CONTEXT_USE_SUBKEY defined before we compile the new code. 
Jeremy.
(This used to be commit 7686752c5b)
 2008-08-08 16:08:11 -07:00
Jeremy Allison
6d99eedafc Try and fix the build for systems that don't have krb5_auth_con_set_req_cksumtype(). 
Jeremy.
(This used to be commit 8598e7b06e)
 2008-08-08 15:15:36 -07:00
Jeremy Allison
e8c7ff3e88 Add Derrick Schommer's <dschommer@F5.com> kerberos delegation patch. Some 
work by me and advice by Love.
Jeremy.
(This used to be commit ecc3838e4c)
 2008-08-08 14:32:15 -07:00
Stefan Metzmacher
70c2a5b02e clikrb5: don't use krb5_keyblock_init() when no salt is specified 
If the caller wants to create a key with no salt we should
not use krb5_keyblock_init() (only used when using heimdal)
because it does sanity checks on the key length.

metze
(This used to be commit c83de77b75)
 2008-08-04 13:52:18 +02:00
Jeremy Allison
23cafd02d3 Fix return of uninitialized variable. 
Jeremy.
(This used to be commit 384052f546)
 2008-06-26 13:19:40 -07:00
Günther Deschner
640a2972c5 kerberos: add smb_krb5_keytab_name(). 
Guenther
(This used to be commit c273ce8798)
 2008-06-24 23:34:17 +02:00
Günther Deschner
0ac8c5d49a kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them. 
Guenther
(This used to be commit 7c4da23be1)
 2008-06-24 23:34:05 +02:00
Günther Deschner
fd288b4110 clikrb5: remove unrequired create_kerberos_key_from_string_direct() prototype. 
Guenther
(This used to be commit ec86852fc6)
 2008-06-17 19:51:52 +02:00
Tim Prouty
fb37f15600 Cleanup size_t return values in callers of convert_string_allocate 
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc5)
 2008-05-20 22:40:13 +02:00
Günther Deschner
c1793b2b31 Use new IDL based PAC structures in clikrb5.c 
Guenther
(This used to be commit 3b0135d57e)
 2008-02-17 02:11:59 +01:00
Günther Deschner
022014dba2 Make heimdal and MIT happy when iterating through auth data. 
Guenther
(This used to be commit 507247dcbf)
 2007-12-12 18:58:26 +01:00