1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

146 Commits

Author SHA1 Message Date
Andrew Bartlett
a5d57a04c2 auth/credentials: Do not print passwords in a talloc memory dump
The fact that a password was created here is enough information, so
overwrite with the function name and line.

Andrew Bartlett
2012-08-31 14:30:38 +10:00
Andrew Bartlett
5131359eda auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-30 01:26:12 +02:00
Andrew Bartlett
17337cfec0 auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt() 2012-08-29 11:34:52 +10:00
Andrew Bartlett
beafdd6410 auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb records
By checking first if there is a secrets.tdb record and passing in the password and last change time
we avoid setting one series of values and then replacing them.  We also avoid the need to work
around the setting of anonymous.

Andrew Bartlett
2012-08-29 11:34:52 +10:00
Andrew Bartlett
a0e4bdcb5b auth/credentials: Improve memory handling in cli_credentials_set_machine_account
By using a tempoary talloc context this is much tidier and more reliable code.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
2012-08-29 03:11:09 +02:00
Andrew Bartlett
bcc29f9e73 auth/credentials: Avoid double-free in the failure case
This pointer is only valid if dbwrap_fetch returned success.

Andrew Bartlett
2012-08-29 09:09:10 +10:00
Andrew Bartlett
f873d422b1 auth/credentials: Rework credentials handling to try and find the most recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
e66fa2c813 auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Stefan Metzmacher
e8f486883f auth/ntlmssp: avoid talloc_tos() in ntlmssp_client_initial()
This avoids a smb_panic at log level = 10.
If we don't have a talloc stackframe yet.

metze
2012-08-04 09:10:20 +02:00
Andrew Bartlett
0f21fe7666 auth/kerberos: Do not do pointer arithmatic on a void *
Found with -Werror=pointer-arith

Andrew Bartlett
2012-07-30 14:25:09 +10:00
Andrew Bartlett
cbc30833d6 auth/credentials: Remove extra newline 2012-07-19 04:04:20 +02:00
Andrew Bartlett
dff29e4aee auth/credentials: Look in the secrets.tdb for the machine account
This is for use with the -P/--machine-pass option.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
2012-07-15 05:41:27 +02:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
ab80b99815 auth/gensec: Remove unused gensec_security parameter 2012-07-03 08:13:01 +10:00
Alexander Bokovoy
238d24af4e auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.

The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087

We need to initialize variables before using gss_get_name_attribute()

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun  6 18:22:51 CEST 2012 on sn-devel-104
2012-06-06 18:22:51 +02:00
Alexander Bokovoy
dc3f74a953 auth/credentials: 'workgroup' set via command line will not drop existing ccache
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.
2012-05-24 16:21:26 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
ec989e7c40 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
2012-05-23 17:51:50 +03:00
Simo Sorce
302abe6190 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build 2012-05-23 17:51:49 +03:00
Stefan Metzmacher
9ac855c8b8 auth/gensec: implement gensec_spnego_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
dce6fdf195 auth/gensec: add gensec_expire_time()
metze
2012-05-17 20:04:32 +02:00
Andreas Schneider
5832c61c5f s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-04 16:51:29 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
3fd6deda7d auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5.  Move them there and make them static.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
d857e393ac auth-krb: Use simpler method to extract keytype.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
a46e465ce0 s4-auth-krb: Remove unneded dependency on kerberos_util.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
b226955587 s4-auth-krb: Move keytab functions in a separate file.
Confine ldb dependency.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
670dbde65e s4-auth-krb: Move function into more appropriate header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
70f1cd6724 s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
b574e7cd81 s4-auth-krb: Make impersonate_principal_from_credentials static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
93aa4511b9 gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Stefan Metzmacher
7c715207ad auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse code anymore
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-03-15 09:16:16 +01:00
Andrew Bartlett
b6ba8bdac3 auth/ntlmssp: Remove reference to struct ntlmssp_state 2012-03-09 14:31:25 +11:00
Andrew Bartlett
239c7a355c auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_state
This just means there is one less pointer to ensure we initialise.

Andrew Bartlett
2012-03-09 14:31:24 +11:00
Andrew Bartlett
9a11f2ea09 auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key type
The key type OID is optional, but we require that information to determine if
we should use NEW_SPNEGO.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Mar  8 11:53:57 CET 2012 on sn-devel-104
2012-03-08 11:53:57 +01:00
Andrew Bartlett
5b372d7015 auth/kerberos: Ensure we do not print invalid memory in failure case
This codeblock may not have any set->elements, so we should not print them.  Copy&paste in the original code.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
111d9f3eb2 auth: Remove plugable password-check functions from gensec_ntlmssp
The auth4_context layer now provides the plugability here.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
83810f8afa auth: consolidate gensec_ntlmssp_server wrapper functions 2012-02-24 11:23:18 +11:00
Andrew Bartlett
9de7fb8706 s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side
This uses the common gensec_ntlmssp server code for ntlm_auth, removing
the last non-gensec use of the NTLMSSP server.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e3cebef0cf auth: Rename some elements of auth4_context
These operate on NTLM authentication, so make that clear.

Andrew Bartlett
2012-02-24 11:23:18 +11:00
Andrew Bartlett
e786e8fef9 auth: Reorder arguments to generate_session_info
This matches check_ntlm_password() and generate_session_info_pac()

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-18 02:19:35 +01:00
Andrew Bartlett
c35a7e8c47 auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17 12:18:51 +01:00
Andrew Bartlett
f433baa3c8 auth: Make more of the ntlmssp code private or static
Now that there is only one gensec_ntlmssp server, some of these functions can be static

For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:10 +01:00