1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

474 Commits

Author SHA1 Message Date
Stefan Metzmacher
7128dd8f51 auth/spnego: make more use of the 'ta' helper variable in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
2054008f7d auth/spnego: split out a gensec_spnego_server_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
3ed3d81eee auth/spnego: split out a gensec_spnego_client_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
ce6c80ab0d auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
3866d55951 auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
eee973a6ae auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()
Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
dc074180be auth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()
We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.

Check with git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
3903ba821b auth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_update_send()
This simplifies further refactoring.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
6521967c4b auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()
It's easier to have this in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
00c195b431 auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
c988596cb5 auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
e243fb510d auth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spnego_update_server()
This matches the flow already used in the client case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
a2a4483ce1 auth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()
This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Andreas Schneider
404f923e34 auth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-07-25 13:51:07 +02:00
Gary Lockyer
efc335a030 source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
1898096c7e rpc: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:22 +02:00
Stefan Metzmacher
79faf30151 auth/spnego: pass spnego_in to gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  5 06:43:17 CEST 2017 on sn-devel-144
2017-07-05 06:43:17 +02:00
Stefan Metzmacher
f266b35501 auth/spnego: remove useless indentation level for SPNEGO_SERVER_START
Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
1dfad27c16 auth/spnego: move SERVER gensec_spnego_create_negTokenInit() handling to the top
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
c0b2f85da2 auth/spnego: set spnego_state->{state_position,expected_packet} gensec_spnego_create_negTokenInit()
We should only do the state change in a defined place
and not with any error gensec_spnego_create_negTokenInit() might return.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
b337d26617 auth/spnego: don't pass 'in' to gensec_spnego_create_negTokenInit()
It's always en empty blob.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
9d7a01dea9 auth/spnego: add a struct spnego_negTokenTarg *ta variable to make some lines shorter
This makes future modifications easier to review.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
7ba307a4c8 auth/spnego: use a helper variable for spnego.negTokenInit.targetPrincipal
This makes the lines a bit shorter and the future diff easier to review.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
a15953ae5f auth/spnego: rename gensec_spnego_server_negTokenTarg() into gensec_spnego_server_response()
gensec_spnego_server_negTokenTarg() will reappear as function that
handles the whole negTokenTarg processing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Andrew Bartlett
d10e27c350 auth: Disable SChannel authentication if we are not a DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Stefan Metzmacher
6cddaa577b auth/spnego: do basic state_position checking in gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 29 20:15:05 CEST 2017 on sn-devel-144
2017-06-29 20:15:05 +02:00
Stefan Metzmacher
e9f1daa6f4 auth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
91287ce566 auth/spnego: split out gensec_spnego_update_{client,server}() functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
d6bb8785cd auth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()
The only caller never passes NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
5f4eed37ea auth/spnego: add gensec_spnego_update_sub_abort() helper function
This helps to be consistent when destroying a unuseable sub context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
728a5c44b4 auth/spnego: remove useless spnego_state->sub_sec_ready check
The lines above make sure it's always true.

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
b75cc98c18 auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
7085d2bf15 auth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
cd245e1163 auth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
6cdc7e2fc2 auth/spnego: move some more logic to gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
2e0f749758 auth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
a5fc7914b5 auth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()
Every fatal error should mark the spnego_state to reject any further update()
calls.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
edd8dabd9c auth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
9d74c417de auth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
5d99f9bb62 auth/credentials: remove unused smb_krb5_create_salt_principal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:47 +02:00
Stefan Metzmacher
3e33fb8a37 auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:47 +02:00
Stefan Metzmacher
8ee4f82368 auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case
Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2
(a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit.

But if we're acting as a client using NTLMv2 we need to
enforce this flag, because it's not really a negotiationable
in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-26 23:16:13 +02:00
Stefan Metzmacher
27e43e1d0c auth/ntlmssp: make ntlmssp_server_check_password() shorter
We move as must as possible into ntlmssp_server_{pre,post}auth().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 26 13:07:30 CEST 2017 on sn-devel-144
2017-06-26 13:07:30 +02:00
Stefan Metzmacher
c6b37a0e1d auth/ntlmssp: remove useless talloc_steal calls in ntlmssp_server_check_password()
We only create a temporary auth_usersupplied_info structure and pass it
down as const, lets keep the values on ntlmssp_state otherwise we may derefence
stale pointers.

We finally free the memory at the end of ntlmssp_server_postauth() now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Gary Lockyer
8c909cd7fa pycredentials: Add support for netr_crypt_password
Add code to encrypt a netr_CryptPassword structure with the current
session key.  This allows the making of Netr_ServerPasswordSet2 calls
from python.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
b68a3374a5 pycredentials: add function to return the netr_Authenticator
Add method new_client_authenticator that returns data to allow a
netr_Authenticator to be constructed.
Allows python to make netr_LogonSamLogonWithFlags,
netr_LogonGetDomainInfo and similar calls

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Stefan Metzmacher
c3a47ceab4 auth/gensec: add GENSEC_UPDATE_IS_NTERROR() helper macro
This allows us to write clearer code that
checks for NT_STATUS_OK and NT_STATUS_MORE_PROCESSING_REQUIRED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-17 16:48:11 +02:00
Stefan Metzmacher
67dd9ceee6 auth/gensec: clear the update_busy_ptr in gensec_subcontext_start()
This is required to support async subcontexts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-17 16:48:11 +02:00
Gary Lockyer
610919e5e6 auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
ee0eb1daa3 auth pycredentials: correct docstring of get_ntlm_response method
Fix copy paste error was incorrectly named "get_ntlm_username_domain"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00