sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
107,843 Commits 60 Branches 1,144 Tags 452 MiB
854ea4eba8
Commit Graph

107843 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
f65625e4e7 s4:rpc_server: split out dcesrv_auth_prepare_bind_ack() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
9f5110b5b5 s4:rpc_server: make use of dcesrv_auth_complete() in dcesrv_auth_auth3() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
f3be27c79c s4:rpc_server: prepare dcesrv_auth_complete() for AUTH3 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
f9a2db82b9 s4:rpc_server: make use of dcesrv_auth_complete() in dcesrv_auth_alter_ack() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
8ec1254ab4 s4:rpc_server: split out dcesrv_auth_complete() from dcesrv_auth_bind_ack() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
3e94bd7576 s4:rpc_server: add wait_send/recv infrastructure 
This will be used to implement async BIND/ALTER_CONTEXT/AUTH3
using gensec_update_send/recv.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
469e274b7d s4:rpc_server: introduce call->ack_pkt and avoid pkt variable for the response on the stack 
This will be needed when we use async authentication using gensec_update_send/recv.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
31c7493094 s4:kdc: make use of gensec_update() in kpasswd_process() 
This avoids using gensec_update_ev() with a nested event loop.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
c198dee8ea s4:dlz_bind9: assert SPNEGO/KRB5 and use gensec_update() 
This avoids using gensec_update_ev() with a nested event loop.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
186543a727 s4:dns_server: use samba_server_gensec_krb5_start() and gensec_update() in dns_query.c 
This avoids using gensec_update_ev() with a nested event loop.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
d4f72d0b86 s4:auth: add samba_server_gensec_krb5_start() 
This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:12 +02:00
Stefan Metzmacher
93a6b9da0f s4:auth: split out a samba_server_gensec_start_settings() helper function 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
4f597f1e5e auth/gensec: make sure there's only one pending gensec_update_send() per context 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
8a3a1111ed auth/gensec: improve NT_STATUS_MORE_PROCESSING_REQUIRED logic in gensec_update_*() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
9e3b27d35c auth/gensec: avoid using a state->subreq pointer 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
a5f37e6cca auth/gensec: remove the sync update() hook from gensec_security_ops 
Some backends still do some nested event context magic,
but that mapping between async and sync is done in these backends
and not in the core gensec code anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
9f3d94b750 auth/spnego: add simple gensec_spnego_update_send/recv() wrapper functions 
TODO: we still need to do the internals async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
6aba7de4ce auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() 
Currently only backend functions are sync functions, but that needs
to change in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
4e3c850c47 auth/ntlmssp: make gensec_ntlmssp_update() static 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
b5a0f39fd1 auth/ntlmssp: rename 'input' to 'in' in gensec_ntlmssp_update() 
This matches all other gensec modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
458495d604 auth/ntlmssp: remove unused variable from gensec_ntlmssp_update() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
458d87f1f1 auth/ntlmssp: avoid using NT_STATUS_NOT_OK_RETURN() in gensec_ntlmssp_update() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
33a1bbaf1b auth/ntlmssp: remove mem_ctx=NULL handling from gensec_ntlmssp_update() 
The caller is expected always pass a valid context and this fallback
was needed ages ago.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
650a81f7bb s4:gensec_krb5: add simple gensec_krb5_update_send/recv() wrapper functions 
TODO: we still need to make the internal async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
58b629b2b1 s4:gensec_gssapi: add simple gensec_gssapi_update_send/recv() wrapper functions 
TODO: we still need to make the internal async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:11 +02:00
Stefan Metzmacher
1e997d7a66 s3:gse: add simple gensec_gse_update_send/recv() wrapper functions 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:10 +02:00
Stefan Metzmacher
86f1ca2dad s4:gensec/http_basic: add simple gensec_http_basic_update_send/recv() wrapper functions 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
d718e92d5e s4:gensec/http_ntlm: add implement gensec_http_ntlm_update_send/recv() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
b713da052b auth/spnego: make sure a fatal error or the final success make the state as SPNEGO_DONE 
This means any further gensec_update() will fail with
NT_STATUS_INVALID_PARAMETER.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
06fa3ae313 auth/spnego: let spnego.c use the new gensec_child_* helper functions 
This means we no longer allow operations on a half finished authentication,
it's activated by gensec_child_ready().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
8332941953 auth/gensec: add gensec_child_* helper functions 
They will be used to simplify the spnego backend
and maybe of some use for a future negoex backend.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
2aab27fef5 auth/gensec: reset existing context on gensec_start_mech() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
1d7ffba0be auth/gensec: make gensec_start_mech() static 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
e9ec93e5f2 s4:rpc_server: simplify the GENSEC_FEATURE_SIGN_PKT_HEADER logic 
We can directly check this after gensec_start_mech_by_authtype(),
the backend either supports it or not. There's nothing that
can change during the authentication phase.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
278f220c7e s4:librpc: ask for GENSEC_FEATURE_SIGN_PKT_HEADER after the gensec_update() dance 
Most features should be added before the update() dance, while
GENSEC_FEATURE_SIGN_PKT_HEADER needs to be after the dance on the client
side.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
e217c2e30a s3:rpc_server: move gensec_update() out of auth_generic_server_authtype_start*() 
We let the caller use auth_generic_server_step() instead.
This allows us to request GENSEC_FEATURE_SIGN_PKT_HEADER before
starting the gensec_update() dance.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
15a7f961da s3:cli_pipe: ask for GENSEC_FEATURE_SIGN_PKT_HEADER after the gensec_update() dance 
Most features should be added before the update() dance, while
GENSEC_FEATURE_SIGN_PKT_HEADER needs to be after the dance on the client
side.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
39b0ba4f96 auth/gensec: add some basic doxygen comments for gensec_{want,have}_feature() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
8ddf3166d4 auth/spnego: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support. 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:09 +02:00
Stefan Metzmacher
0ff6a1ae1f s4:gensec_gssapi: always announce GENSEC_FEATURE_SIGN_PKT_HEADER 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
2ce23513e8 s3:gse: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support. 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
688c659de2 selftest: let fl2003dc use "dcesrv:header signing = no" 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
314b577861 s4:smb_server: avoid using gensec_update_ev() for the negotiate blob 
Getting the SPNEGO mech type blob, we don't expect to block for
any network io, so we can also use gensec_update() which creates
a temporary event context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
f4424579a0 s3:libsmb: don't rely on gensec_session_key() to work on an unfinished authentication 
If smbXcli_session_is_guest() returns true, we should handle the authentication
as anonymous and don't touch the gensec context anymore.

Note that smbXcli_session_is_guest() always returns false, if signing is
required!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
76693c197a auth/gensec: call gensec_verify_features() also after update_recv() in gensec_update_ev() 
This is no a real problem until now, because the only backends with update_send()/recv()
are "schannel" (which only supports AUTH_LEVEL_{INTEGRITY,PRIVACY}) and
"naclrpc_as_system" (which doesn't support any protection beside using unix
domain sockets).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Stefan Metzmacher
31691963b3 auth/spnego: fix gensec_update_ev() argument order for the SPNEGO_FALLBACK case 
This went unnoticed so long as we don't use -Wc++-compat
and gensec_update_ev() used the sync update() hook for all
NTLMSSP and Kerberos.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Andrew Bartlett
1116ee1c5c selftest: Actually run python3 tests during the selftest 
These previously only ran if the develper was using EXTRA_PYTHON in their
OS environment

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 20 02:26:33 CEST 2017 on sn-devel-144
 2017-05-20 02:26:33 +02:00
Petr Viktorin
e99c0e6503 python3:tests: Fix Python 3 test issues 
- Forgotten text strings that should be binary
- Inverted PY3 condition

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-19 22:20:16 +02:00
Petr Viktorin
40e409bf9e python3: Use "y#" instead of "s#" for binary data in PyArg_ParseTuple 
The "s#" format code for PyArg_ParseTupleAndKeywords and Py_BuildValue
converts a char* and size to/from Python str (with utf-8 encoding under
Python 3).
In some cases, we want bytes (str on Python 2, bytes on 3) instead. The
code for this is "y#" in Python 3, but that is not available in 2.

Introduce a PYARG_BYTES_LEN macro that expands to "s#" or "y#", and use
that in:
- credentials.get_ntlm_response (for input and output)
- ndr_unpack argument in PIDL generated code

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-19 22:20:15 +02:00
Jeremy Allison
b691f6d32f s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in share_mode_entry. 
This is currently marked 'skip', which means it isn't stored in the
db, but printed out in ndr dump. However, this pointer can be invalid
if the lease_idx is set to 0xFFFFFFFF (invalid).

This is fixed up inside parse_share_modes(), but not until after
ndr_pull_share_mode_data() is called. If lease_idx == 0xFFFFFFFF
then ndr_print_share_mode_lease() prints an invalid value and
crashes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12793

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 18 03:01:40 CEST 2017 on sn-devel-144
 2017-05-18 03:01:40 +02:00