IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This matches check_ntlm_password() and generate_session_info_pac()
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
Now that there is only one gensec_ntlmssp server, some of these functions can be static
For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller
knows better. This will allow preservation of current s3 behaviour.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This is possible because we now supply the auth4_context abstraction that this
code is looking for.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess. We will also get the client code in common very soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matches what Samba3 does.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62. This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.
Andrew Bartlett
This reverts commit 744ed53a62.
The real bug here is that the second half of the outer loop should not
have been run once we found spnego.
Andrew Bartlett
Without this I get the following valgrind error:
==27740== Invalid write of size 8
==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740== by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740== by 0x585C00: process_smb (process.c:1641)
==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740== by 0x58B2D9: smbd_process (process.c:3389)
==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740== by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740== by 0xDE6DD8: main (server.c:1413)
==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740== by 0x6926965: __talloc (talloc.c:560)
==27740== by 0x6926771: talloc_pool (talloc.c:598)
==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740== by 0x58B2B7: smbd_process (process.c:3385)
==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740== by 0x99E05B: run_events_poll (events.c:286)
==27740== by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740== by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740== by 0xDE6DD8: main (server.c:1413)
In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
This avoids casting to and from the struct auth_user_info_dc *user_info_dc
to to this, the
if (user_info_dc->info->authenticated)
is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.
Andrew Bartlett
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info. This will allow the
calling logic to be put in common.
Andrew Bartlett
There is no need to return the PAC signatures via the special-purpose
torture element. Instead, use a private pointer on the auth_context
in conjunction with the private PAC processing method.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
Both use gss_krb5_lucid_context_v1_t now.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
These are optional to supply - some callers only provide an auth_context for the
other plugin functions, and so we need to deal with this cleanly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This will make it easier to share elements of the GSSAPI gensec mechs,
in much the same way elements of the NTLMSSP mech are shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
By providing this context, a function pointer for
generate_session_info_pac() can be inserted into gensec, allowing the
s3 PAC processing in an otherwise more generic gensec module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The fact that this function is unimplemented is unimportant to the callers
as credential caches are not handled via the auth/credentials code in s3.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan 9 03:24:36 CET 2012 on sn-devel-104
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.
Andrew Bartlett
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()
Andrew Bartlett
This allows dlz_bind9 to match on exactly the same key as bind9 itself
Andrew Bartlett
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.
Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
We don't talloc_reference for tsocket_addresses.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 24 15:29:47 CEST 2011 on sn-devel-104
This avoids keeping the event context around on a the gensec_security
context structure long term.
In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Because of the calling convention, this is the best place to assert
that we have not been subject to a downgrade attack on the negotiated
features. (In DCE/RPC, this isn't a negotiation, the client simply
specifies the level of protection that is required).
Andrew Bartlett
(some formatting fixes)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
If you do not specify one however, you better know that the modules
you are using do not need one!
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
If a user specified -W or --realm on the command line, then this is
of level SPECIFIED, not UNINITIALISED, despite it going via the
loadparm system.
This helps us to ensure that -W server -Ulocaluser is parsed the
same as -Userver\localuser. This matters as otherwise we might
instead attempt to use kerberos to the realm from the smb.conf.
Andrew Bartlett
This is in preperation for this file being used by s3, and recognises that these are all
reasonable, public interfaces but were not declared as such in the past.
Andrew Bartlett
This will allow gensec_start.c to move to the top level. This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.
Andrew Bartlett
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
The startup and runtime functions that have no dependencies are moved
into the top level.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.
(OpenIndiana is an off-shoot of OpenSolaris See http://www.openindiana.org)
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May 7 02:20:14 CEST 2011 on sn-devel-104
Not all kerberos distributions have this function.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.
We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.
Andrew Bartlett
These functions provide conversions between some netlogon.idl and
auth.idl structures
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
