1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

282 Commits

Author SHA1 Message Date
Stefan Metzmacher
ce6c80ab0d auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
3866d55951 auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
eee973a6ae auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()
Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
dc074180be auth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()
We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.

Check with git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
3903ba821b auth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_update_send()
This simplifies further refactoring.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
6521967c4b auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()
It's easier to have this in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
00c195b431 auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
c988596cb5 auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
e243fb510d auth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spnego_update_server()
This matches the flow already used in the client case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Stefan Metzmacher
a2a4483ce1 auth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()
This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-25 13:51:07 +02:00
Andreas Schneider
404f923e34 auth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-07-25 13:51:07 +02:00
Gary Lockyer
1898096c7e rpc: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:22 +02:00
Stefan Metzmacher
79faf30151 auth/spnego: pass spnego_in to gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  5 06:43:17 CEST 2017 on sn-devel-144
2017-07-05 06:43:17 +02:00
Stefan Metzmacher
f266b35501 auth/spnego: remove useless indentation level for SPNEGO_SERVER_START
Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
1dfad27c16 auth/spnego: move SERVER gensec_spnego_create_negTokenInit() handling to the top
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
c0b2f85da2 auth/spnego: set spnego_state->{state_position,expected_packet} gensec_spnego_create_negTokenInit()
We should only do the state change in a defined place
and not with any error gensec_spnego_create_negTokenInit() might return.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
b337d26617 auth/spnego: don't pass 'in' to gensec_spnego_create_negTokenInit()
It's always en empty blob.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
9d7a01dea9 auth/spnego: add a struct spnego_negTokenTarg *ta variable to make some lines shorter
This makes future modifications easier to review.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
7ba307a4c8 auth/spnego: use a helper variable for spnego.negTokenInit.targetPrincipal
This makes the lines a bit shorter and the future diff easier to review.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Stefan Metzmacher
a15953ae5f auth/spnego: rename gensec_spnego_server_negTokenTarg() into gensec_spnego_server_response()
gensec_spnego_server_negTokenTarg() will reappear as function that
handles the whole negTokenTarg processing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-05 02:17:12 +02:00
Andrew Bartlett
d10e27c350 auth: Disable SChannel authentication if we are not a DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Stefan Metzmacher
6cddaa577b auth/spnego: do basic state_position checking in gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 29 20:15:05 CEST 2017 on sn-devel-144
2017-06-29 20:15:05 +02:00
Stefan Metzmacher
e9f1daa6f4 auth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
91287ce566 auth/spnego: split out gensec_spnego_update_{client,server}() functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
d6bb8785cd auth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()
The only caller never passes NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
5f4eed37ea auth/spnego: add gensec_spnego_update_sub_abort() helper function
This helps to be consistent when destroying a unuseable sub context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
728a5c44b4 auth/spnego: remove useless spnego_state->sub_sec_ready check
The lines above make sure it's always true.

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
b75cc98c18 auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
7085d2bf15 auth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:22 +02:00
Stefan Metzmacher
cd245e1163 auth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
6cdc7e2fc2 auth/spnego: move some more logic to gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
2e0f749758 auth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
a5fc7914b5 auth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()
Every fatal error should mark the spnego_state to reject any further update()
calls.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
edd8dabd9c auth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
9d74c417de auth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-29 15:59:21 +02:00
Stefan Metzmacher
c3a47ceab4 auth/gensec: add GENSEC_UPDATE_IS_NTERROR() helper macro
This allows us to write clearer code that
checks for NT_STATUS_OK and NT_STATUS_MORE_PROCESSING_REQUIRED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-17 16:48:11 +02:00
Stefan Metzmacher
67dd9ceee6 auth/gensec: clear the update_busy_ptr in gensec_subcontext_start()
This is required to support async subcontexts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-17 16:48:11 +02:00
Stefan Metzmacher
4f597f1e5e auth/gensec: make sure there's only one pending gensec_update_send() per context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
8a3a1111ed auth/gensec: improve NT_STATUS_MORE_PROCESSING_REQUIRED logic in gensec_update_*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
9e3b27d35c auth/gensec: avoid using a state->subreq pointer
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
a5f37e6cca auth/gensec: remove the sync update() hook from gensec_security_ops
Some backends still do some nested event context magic,
but that mapping between async and sync is done in these backends
and not in the core gensec code anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
9f3d94b750 auth/spnego: add simple gensec_spnego_update_send/recv() wrapper functions
TODO: we still need to do the internals async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
b713da052b auth/spnego: make sure a fatal error or the final success make the state as SPNEGO_DONE
This means any further gensec_update() will fail with
NT_STATUS_INVALID_PARAMETER.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
06fa3ae313 auth/spnego: let spnego.c use the new gensec_child_* helper functions
This means we no longer allow operations on a half finished authentication,
it's activated by gensec_child_ready().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
8332941953 auth/gensec: add gensec_child_* helper functions
They will be used to simplify the spnego backend
and maybe of some use for a future negoex backend.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
2aab27fef5 auth/gensec: reset existing context on gensec_start_mech()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
1d7ffba0be auth/gensec: make gensec_start_mech() static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
39b0ba4f96 auth/gensec: add some basic doxygen comments for gensec_{want,have}_feature()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
8ddf3166d4 auth/spnego: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
76693c197a auth/gensec: call gensec_verify_features() also after update_recv() in gensec_update_ev()
This is no a real problem until now, because the only backends with update_send()/recv()
are "schannel" (which only supports AUTH_LEVEL_{INTEGRITY,PRIVACY}) and
"naclrpc_as_system" (which doesn't support any protection beside using unix
domain sockets).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Stefan Metzmacher
31691963b3 auth/spnego: fix gensec_update_ev() argument order for the SPNEGO_FALLBACK case
This went unnoticed so long as we don't use -Wc++-compat
and gensec_update_ev() used the sync update() hook for all
NTLMSSP and Kerberos.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Jeremy Allison
3cfa58de12 gensec: Add a TALLOC_CTX * to gensec_register().
Pass in the TALLOC_CTX * from the module init to remove
another talloc_autofree_context() use.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-13 16:50:13 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
366f8cf090 auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
0e508853fc auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
a0ab86dedc auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
2d6066dbbf gensec: Add gensec_{get,set}_target_service_description()
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Stefan Metzmacher
4194a67c7e gensec:spnego: Add debug message for the failed principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-02 08:39:23 +01:00
Chris Lamb
897375e675 Correct "overriden" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00
Stefan Metzmacher
99ffef3de2 auth/gensec: convert external.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
ac6083eb72 auth/gensec: convert ncalrpc.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
b8abd4a8a2 auth/gensec: convert schannel.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
c9f5a89809 auth/gensec: remove unused prototype headers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Stefan Metzmacher
81b0912863 auth/gensec: handle DCERPC_AUTH_LEVEL_PACKET similar to DCERPC_AUTH_LEVEL_INTEGRITY
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
5204ad6a14 auth/gensec: only require GENSEC_FEATURE_SIGN for DCERPC_AUTH_LEVEL_INTEGRITY as client
On the server this check is deferred to the first request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
5db81a1101 auth/gensec: always verify the wanted SIGN/SEAL flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
6fb4453d1e gensec/spnego: remember the wanted features also on the main gensec context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
9b45ba5cd5 gensec/spnego: work around missing server mechListMIC in SMB servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Sep  2 18:10:44 CEST 2016 on sn-devel-144
2016-09-02 18:10:43 +02:00
Garming Sam
2840ebc76f typo: mandetory -> mandatory
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:15 +02:00
Volker Lendecke
93b982faad lib: Give base64.c its own .h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-05-04 01:28:23 +02:00
Christof Schmitt
8bb4fccd27 gensec: Change log level of message when no PAC is found
For a Samba server that uses a non-AD KDC this message is triggered on
every new connection. Change the log level from warning/1 to a more
appropriate notice/5.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-30 01:01:42 +02:00
Stefan Metzmacher
db9c01a519 auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:17 +02:00
Stefan Metzmacher
6546295852 auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Stefan Metzmacher
032c2733de auth/spnego: handle broken mechListMIC response from Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Stefan Metzmacher
9930bd17f2 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Stefan Metzmacher
7074b1aa16 CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
This depends on the DCERPC auth level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
2200d49cc6 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
1e3bd3e6ac CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

This provides the infrastructure for this feature.

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
a4dd512946 CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
This used to work more or less before, but only for krb5 with the
server finishing first.

With NTLMSSP and new_spnego the client will finish first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
4ec38db6f1 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Stefan Metzmacher
4106fde318 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Stefan Metzmacher
57946ac7c1 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:16 +01:00
Stefan Metzmacher
cc3dea5a81 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:16 +01:00
Stefan Metzmacher
069aee42c2 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
0a93cad337 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
8efcb49435 auth/gensec: make gensec_security_by_name() public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
64364e365c auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Stefan Metzmacher
5e913af833 auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:27 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
c46a8cf258 Make gensec private, for now.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
ad630a681e asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Jeremy Allison
d4059e1a53 auth: gensec: Parameters out_mem_ctx and ev are passed in the wrong order to gensec_spnego_server_try_fallback().
Fix suggested by <lev@zadarastorage.com>. Fixes a memory leak.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11565

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 22 11:27:19 CEST 2015 on sn-devel-104
2015-10-22 11:27:19 +02:00
Volker Lendecke
2fbce8ad0a gensec: Fix CID 242642 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-08-20 12:49:21 +02:00
Stefan Metzmacher
2cd3e51e19 auth/gensec: remove unused gensec_[un]wrap_packets() hooks
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
756508c8c3 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
3542d33314 auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Jeremy Allison
5deb8169fe dcerpc: NULL pointer deref crash in handling rpc request.
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().

Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.

An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-18 19:25:27 +02:00
Andrew Bartlett
5f01bb1b06 build: Add talloc and samba-debug dep for gensec_external module
On a host without a talloc.h, this caused the build to fail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 19 18:01:09 CET 2015 on sn-devel-104
2015-03-19 18:01:09 +01:00
Stefan Metzmacher
153938a1f2 auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
6ec32d7e12 auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required
Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Jeremy Allison
4dba8fd599 auth: gensec: asn1 fixes - check all returns.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
2014-09-26 00:51:16 +02:00
Andreas Schneider
788f72f8eb gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
fc59cc3102 auth/gensec: use auth_ctx->generate_session_info() for schannel
This way we generate a correct session info for the s3 rpc_server,
including a unix token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Andrew Bartlett
c3baddf271 auth: Pass though error from GENSEC sub-mechanism
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).

Andrew Bartlett

Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:45 +02:00
Stefan Metzmacher
01c029993c auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILURE
This is what NTLMSSP also gives.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
2014-03-27 02:34:36 +01:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Stefan Metzmacher
b2b239a854 auth/gensec: make use of gensec_update_ev() in spnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
79f5275db2 auth/gensec: add a gensec_update_ev() function
This is the current gensec_update() which takes an optional
tevent_context structure and allows semi-async code.

This is just a temporary solution on the way to kill
the semi-async code completely, by using gensec_update_send/recv.

By providing a gensec_update_ev(), we can remove the explicit
tevent_context from gensec_update() and fix all the sane callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
2ac1ca40f3 auth/gensec: fix gensec_update() with ev == NULL.
In future we should remove the tevent_context argument from
gensec_update() completely!

If we have sane backends we should also remove the
tevent_loop_allow_nesting() call again!
t
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
31a92744bf auth/gensec: only include "librpc/gen_ndr/dcerpc.h"
We only need some DCERPC_ defines.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:13 +01:00
Stefan Metzmacher
03006d0e44 auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
616cd00995 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Günther Deschner
4f979525e4 gensec: check for NULL gensec_security in gensec_security_by_auth_type().
We have equivalent checks in other gensec_security_by_X calls already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:06 +02:00
Günther Deschner
d433ad077f gensec: remove duplicate gensec_security_by_authtype() call.
We should use the equivalent gensec_security_by_auth_type() call which is
exposed in the public header.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:56 +02:00
Günther Deschner
4d2ec9e37e gensec: move schannel module to toplevel.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:44 +02:00
Howard Chu
6bf59b03d7 Add SASL/EXTERNAL gensec module
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18 19:47:55 +02:00
Andrew Bartlett
3f464ca1f5 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16 14:44:28 -07:00
Volker Lendecke
980c757388 gensec: Fix CID 1063258 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19 11:16:26 +12:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
c81b6f7448 auth/gensec: use 'const char * const *' for function parameters
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
e81550c811 auth/gensec: make it possible to implement async backends
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
6a7a44db59 auth/gensec: avoid talloc_reference in gensec_security_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
3e3534f882 auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
59b09564a7 auth/gensec: add gensec_security_by_auth_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Stefan Metzmacher
45c74c8084 auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning NOT_IMPLEMENTED
Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:55 +02:00
Volker Lendecke
26b6e28082 gensec: Make gensec_security_oids_from_ops static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
2013-05-15 20:05:34 +02:00
Volker Lendecke
85220eaa9c gensec: Make gensec_security_by_sasl_list static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Volker Lendecke
eb6ebe689f gensec: Make gensec_interface_version public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Andrew Bartlett
df004b5014 gensec: Allow login without a PAC by default (bug #9581)
The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-24 14:18:22 +01:00
Volker Lendecke
8a6a13ab51 auth: Fix some nonempty blank lines
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Andrew Bartlett
ab80b99815 auth/gensec: Remove unused gensec_security parameter 2012-07-03 08:13:01 +10:00
Stefan Metzmacher
9ac855c8b8 auth/gensec: implement gensec_spnego_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
dce6fdf195 auth/gensec: add gensec_expire_time()
metze
2012-05-17 20:04:32 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
93aa4511b9 gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Stefan Metzmacher
7c715207ad auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse code anymore
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-03-15 09:16:16 +01:00
Andrew Bartlett
c35a7e8c47 auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17 12:18:51 +01:00
Andrew Bartlett
55c630404a auth: Provide a way to specify the NTLMSSP server name to GENSEC
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller
knows better.  This will allow preservation of current s3 behaviour.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
d2ccaaad20 gensec: explain gensec_use_kerberos_mechs() logic
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10 12:36:23 +01:00
Andrew Bartlett
93f3fc54e4 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62.  This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Andrew Bartlett
901e3b7246 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"
This reverts commit 744ed53a62.

The real bug here is that the second half of the outer loop should not
have been run once we found spnego.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Volker Lendecke
744ed53a62 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error:

==27740== Invalid write of size 8
==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740==    by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740==    by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740==    by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740==    by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740==    by 0x585C00: process_smb (process.c:1641)
==27740==    by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740==    by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740==    by 0x58B2D9: smbd_process (process.c:3389)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)
==27740==  Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740==    at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740==    by 0x6926965: __talloc (talloc.c:560)
==27740==    by 0x6926771: talloc_pool (talloc.c:598)
==27740==    by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740==    by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740==    by 0x58B2B7: smbd_process (process.c:3385)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)

In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.

Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb  9 19:44:47 CET 2012 on sn-devel-104
2012-02-09 19:44:47 +01:00
Andrew Bartlett
3ddb983c10 gensec: inline gensec_generate_session_info() into only caller
This avoids casting to and from the struct auth_user_info_dc *user_info_dc

to to this, the

if (user_info_dc->info->authenticated)

is moved into auth_generate_session_info_wrapper(), which is the
function that gensec_security->auth_context->generate_session_info
points to.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Stefan Metzmacher
8dd63b9343 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context
Both use gss_krb5_lucid_context_v1_t now.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-25 10:22:31 +01:00
Andrew Bartlett
6411faf379 auth/gensec: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-18 19:29:40 +01:00
Stefan Metzmacher
342be2851a s3:build: add auth/gensec/spnego.o
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13 06:32:30 +01:00