1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

559 Commits

Author SHA1 Message Date
Andrew Bartlett
6fda57d309 build: Make --with-json-audit the default
Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.

This means that those not wanting to link to libarchive will just need to
build --without-json-audit.

In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-15 03:36:08 +02:00
Noel Power
26c4084ad2 auth/credentials/test: py2/py3 compat always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
2018-05-13 00:24:35 +02:00
Joe Guo
656ec98e5b pycredentials: add py_creds_get_secure_channel_type
We have only set, need get.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:28 +02:00
Gary Lockyer
52a3318be8 auth log: Log the unique session GUID
Log the unique_session_token GUID on successful Authorizations.
This patch adds the "sessionID" attribute to the Authorization object
and increments the version to 1.1

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:22 +02:00
Douglas Bagnall
f94c9a1357 auth/ntlmssp_client: correct spelling of response
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
a66f941619 auth/pycredentials: correct spelling of reponse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Volker Lendecke
1aeac2f85d dbwrap: Remove calls to loadparm
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
7f09fd2b4c credentials: Call dbwrap_local_open with the correct tdb_flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Volker Lendecke
7e183a22a7 credentials: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Björn Baumbach
57d9969f5c build: fix build without JSON audit support
Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Fri Apr 20 21:12:33 CEST 2018 on sn-devel-144
2018-04-20 21:12:33 +02:00
Björn Baumbach
cc1eed99bd build: add option to choose to build with or without JSON audit support
Add a new configure option:

  --with-json-audit
            Build with JSON auth audit support (default=auto). This requires
	    the jansson devel package.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master):  <bbaumbach@samba.org>
Autobuild-Date(master): Wed Apr 18 15:25:42 CEST 2018 on sn-devel-144
2018-04-18 15:25:42 +02:00
Noel Power
4a58393b2b wscript_build: make sure we link extra-python versions of libraries
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-13 07:27:11 +02:00
Arvid Requate
490756a840 Check "auth event notification" param in log_json
When Samba is compiled with JSON support it logs an error message
at log level 3 by default for every authentication event:

get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND

This patch adjusts the log_json function to consider the smb.conf
parameter "auth event notification" before calling auth_message_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
2018-04-12 08:12:39 +02:00
Volker Lendecke
dff196a157 credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
2018-04-11 21:58:00 +02:00
Volker Lendecke
7a9df79660 credentials: Fix line length
... just because I'll modify that line in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
56a8739e22 credentials: Revert "credentials: Fix CID 1414796 Explicit null dereferenced"
This reverts commit 90c02ec64d.

We have code to take care of password==NULL, this CID must be fixed in a
different way

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
cc746385bf credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Volker Lendecke
90c02ec64d credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Noel Power
7b897d6d1c auth/credentials/test: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:24 +01:00
Matt Selsky
7ab4ceffb4 auth/kerberos: Fix typo in error message regarding fetching PAC using Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311

Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-19 07:33:44 +01:00
Stefan Metzmacher
6ff8911958 auth: add auth_user_info_copy() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Andreas Schneider
654a66b72d auth:credentials: Avoid an 'else' branch
This moves the 'return' statement to the end of the 'case' and makes clear
we leave here.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
9a971bcd07 auth:credentials: Add FALL_THROUGH statements in credentials.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
2a646a7485 auth:gensec: Add FALL_THROUGH statements in spnego.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
d123638a82 auth:credentials: Add FALL_THROUGH statements in credentials_secrets.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Garming Sam
2e49a97777 tests/bind.py: Add a bind test with NTLMSSP with no domain
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-22 23:15:17 +01:00
Andrew Bartlett
8e54bc463a selftest: Require jansson support for selftest of the AD DC
This avoids this code becoming untested if a package is not installed or
the configure test is accidentially broken.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-02-15 00:18:29 +01:00
kkplein
d39664fc66 define DBGC_AUTH class
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-08 03:34:17 +01:00
Andreas Schneider
11239f0759 credentials: Simplify cli_credentials_get_server_gss_creds()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan  3 14:37:12 CET 2018 on sn-devel-144
2018-01-03 14:37:12 +01:00
Stefan Metzmacher
7074a1b7e0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Volker Lendecke
adf46ff0ea cli_credentials: Apply some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 16 12:28:17 CEST 2017 on sn-devel-144
2017-09-16 12:28:17 +02:00
Volker Lendecke
1e4c32e3ff cli_credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  7 05:56:14 CEST 2017 on sn-devel-144
2017-09-07 05:56:14 +02:00
Volker Lendecke
f8b491fac4 cli_credentials: Fix a return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  5 23:06:42 CEST 2017 on sn-devel-144
2017-09-05 23:06:41 +02:00
Stefan Metzmacher
e8264d9678 auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
7d43aecb50 auth/ntlmssp: merge ntlmssp_server_check_password() into ntlmssp_server_auth_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
260e535252 auth/ntlmssp: introduce ntlmssp_server_auth_send/recv
We still use the sync ntlmssp_server_check_password().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
da3baf64d5 auth/ntlmssp: prepare update_send/recv for real async processing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Andrew Bartlett
dc940ad0e0 pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
9dd89361c2 pycredentials: Add get_name() for a credentials cache
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-28 00:25:13 +02:00
Andrew Bartlett
35cbed2934 pycredentials: Allow optional "name" argument to get_named_ccache() to be missing
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:13 +02:00
Stefan Metzmacher
ee9f4374ed auth/gensec: finally remove unused gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 25 17:42:55 CEST 2017 on sn-devel-144
2017-07-25 17:42:55 +02:00
Stefan Metzmacher
39353c9a6e auth/gensec: don't allow gensec_update[_ev] to be called on a subcontext
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:12 +02:00
Stefan Metzmacher
a7f401243c auth/gensec: make use of gensec_update_send/recv in gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:12 +02:00
Stefan Metzmacher
eb6b2b63e9 auth/gensec: introduce gensec_security_ops.glue in order to avoid depending on GENSEC_OID_SPNEGO being special
In future we have get more backends that can negotiate other backends,
we should keep all of them even if we require kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:11 +02:00
Stefan Metzmacher
692425f09a auth/gensec: add some useful debugging to gensec_update_send/gensec_update_done
This makes it easier to spot problems with all the abstraction and async layers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:11 +02:00
Andreas Schneider
97788f4a75 auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-25 13:51:11 +02:00
Andreas Schneider
62ffe20fcb auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-25 13:51:11 +02:00
Andreas Schneider
e492950184 auth/spnego: Rename gensec_spnego_update_sub_abort()
The name is not ideal as someone might think we will panic and abort the
process. So rename it to gensec_spnego_reset_sub_sec().

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-25 13:51:11 +02:00
Stefan Metzmacher
832e9ff594 auth/spnego: replace gensec_spnego_neg_loop() by real async processing of {start,step,finish}_fn()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:11 +02:00
Stefan Metzmacher
75e6728bcf auth/spnego: split gensec_spnego_server_negTokenTarg() into subfunctions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:11 +02:00