1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1737 Commits

Author SHA1 Message Date
Stefan Metzmacher
96a4b1463f s4:auth/gensec_cyrus_sasl: remove compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
f99d9548fd s4:auth/gensec_gssapi: remove allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
2bf79c419d s4:auth/gensec_gssapi: remove compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Andrew Bartlett
91629aeb48 pygensec: Add bindings for gensec_set_target_service and gensec_set_target_hostname
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2015-03-16 03:00:07 +01:00
Stefan Metzmacher
09b3e42e70 s4:auth/gensec_gssapi: let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors
The 'nt_status' variable is set to NT_STATUS_OK before.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11164

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 03:00:06 +01:00
Andrew Bartlett
bc8b580659 auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()
This ensures that in the all-Samba PAC creation code, we do not escape a space character if present
in the logon name.  This matches what we do in the Heimdal code in the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00
Andrew Bartlett
bdde51b26f auth/kerberos: Use talloc_stackframe to avoid memory and FD leak of event context
The smb_krb5_send_and_recv_func_forced and smb_krb5_send_and_recv_func
functions could leak an event context including an epoll FD and some
memory.  This may explain a flapping test in krb5.kdc

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by:  Kamen Mazdrashki <kamenim@samba.org>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
9a0aa6f6f7 torture: Start a new testsuite for krb5 and KDC behaviour
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:07 +01:00
Andrew Bartlett
452cc51e10 CVE-2014-8143:auth: Force talloc type of session_info pointer to match
This helps us keep things safe in LDB where we put this in a opaque pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Andrew Bartlett

Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-15 12:33:08 +01:00
Andrew Bartlett
121bbc0184 gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabs
This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb.

Andrew Bartlett

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 00:25:06 +01:00
Günther Deschner
edda534454 s4-auth/kerberos: fix salting principal, make sure hostname is lowercase.
Found at MS interop event while working on AES kerberos key support.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Sep 26 23:37:09 CEST 2014 on sn-devel-104
2014-09-26 23:37:09 +02:00
Jeremy Allison
e6cf99c9d9 s4: auth: gensec: asn1 fixes - check all returns.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
2014-09-26 00:51:16 +02:00
Andrew Bartlett
3cd5e67226 s4-auth: Use sizeof() rather than a fixed constant in memcmp() call
Change-Id: I2807cf2af9e4c3282e6ff54a6dd8e90f34e9481f
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2014-09-08 07:26:34 +02:00
Andrew Bartlett
80be6993c9 auth: Split out fetching trusted domain into sam_get_results_trust()
This new helper function will also be used by pdb_samba_dsdb.

Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
79ee8fc82c s4-gensec: Fix spelling in debug message
Change-Id: Ia0218c4b1f714d1b829ab0ce5851a4d02a1bf5df
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:41 +02:00
Andreas Schneider
0e45b40511 s4-auth: Initialize the tokens by default.
Found with valgrind.

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Aug  8 19:01:56 CEST 2014 on sn-devel-104
2014-08-08 19:01:56 +02:00
Andreas Schneider
3913961546 wscript: Only build gensec_krb5 with heimdal.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 16:37:35 +02:00
Günther Deschner
d487bce3ab s4-gensec_krb5: fix memleak in gensec_krb5_session_info().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:35 +02:00
Günther Deschner
759c9b03e4 s4-auth/kerberos: add a note how to implement krb5_get_init_creds_opt_set_win2k() with MIT.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:35 +02:00
Günther Deschner
7f61950398 s4-kerberos: remove duplicate macros.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Günther Deschner
5c663685eb lib/krb5_wrap: move krb5_princ_size replacement code to lib/krb5_wrap/krb5_samba.c.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Günther Deschner
22c6766693 samba: use smb_krb5_create_key_from_string() in some places.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
2014-08-08 06:02:34 +02:00
Samuel Cabrero
caa42ed385 s4-auth-krb: Fix talloc access after free in smb_krb5_update_keytab
Change-Id: Iaa168d520f124e0c43c7edd649318f0b8ee25020
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date(master): Tue Jul  8 16:51:09 CEST 2014 on sn-devel-104
2014-07-08 16:51:09 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
6c37cd6544 auth: Allow auth_samba4 to be forced to run a specific auth module
This will allow new tests to be written to validate winbindd authentication results

Andrew Bartlett

Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-05-16 10:23:26 +02:00
Andrew Bartlett
a2f3c351fa s4:auth_winbind: explicitly use dcerpc_binding_handle_set_sync_ev() for irpc
This indicates that we're using nested event loops...

Andrew Bartlett

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Change-Id: I08f21876d42197f76fe3ae10b4f464626d70bf5a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-05-13 00:08:12 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Andrew Bartlett
aa79989508 s4-auth: Make the auth_winbind_wbclient use more correct code now in auth/wbc_auth_util.c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-18 20:08:09 +02:00
Andrew Bartlett
d7ce127de9 auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c
The comments indicate that this was needed for HP-UX at one point, but
the configure code was never ported to WAF.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
2014-04-15 12:32:09 +02:00
Andrew Bartlett
634cc8fdff auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.c
This code is dead since the move to the WAF build system, but was set
for HP-UX 9, 10 and 11 in the autoconf build system.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
6e8eb60545 auth: Remove linux_bigcrypt support from pass_check.c
This is dead code, and probably has been for quite some time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
e731655f09 auth: Remove support for plaintext auth on systems that use getprpwnam()
The WAF build does not have the code to detect getprpwnam, so this is
dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
3fa67e6346 auth: Remove afs_auth() from pass_check.c and s4's auth_unix
The waf build does not have code to detect support for AFS plaintext
authentication, so this is dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
94f0716fff auth: Remove dfs_auth() from pass_check.c and s4's auth_unix
The waf build has no logic to detect DCE/DFS, so this plaintext
authentication mechanism is dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
f557f82acc s4-auth: Support password history correctly, including allowing NTLM logins using the old password
This is only done during a 1 hour allowed period, by default.

We only update bad password count when not one of the last 3 passwords

Andrew Bartlett

Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
8a89f7f4bc dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.

Andrew Bartlett

Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
26c0eb623f auth: Split out badPwdCount update into a helper function
This will allow password_hash to call this using dsdb_module_*() functions.

Andrew Bartlett

Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
7e653f5ae2 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
0f3dd921b3 s4-auth: Rework memory handling to use a tmp_ctx
Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
3f07737fd4 s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>

Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
6f8fb163e0 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.

By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.

Andrew Bartlett

Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
9a36fabde0 s4:auth/sam: use a higher time resolution in authsam_account_ok()
Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
60024cdd73 kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
daf6d0fb28 s4:auth/gensec: explicitly use allow_warnings=True for gssapi and sasl modules
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:46 +02:00
Stefan Metzmacher
fbc991c2e1 s4:auth/ntlm: add auth4_sam_init() prototype to avoid a warning
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:43 +02:00
Stefan Metzmacher
e1d5b8a734 s4:auth: avoid str_list related const warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:43 +02:00
Stefan Metzmacher
876f0e03de s4:auth/gensec: fix declaration after code warning in gensec_tstream.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:43 +02:00