1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

34 Commits

Author SHA1 Message Date
Andrew Bartlett
a5d57a04c2 auth/credentials: Do not print passwords in a talloc memory dump
The fact that a password was created here is enough information, so
overwrite with the function name and line.

Andrew Bartlett
2012-08-31 14:30:38 +10:00
Andrew Bartlett
5131359eda auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-30 01:26:12 +02:00
Andrew Bartlett
17337cfec0 auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt() 2012-08-29 11:34:52 +10:00
Andrew Bartlett
beafdd6410 auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb records
By checking first if there is a secrets.tdb record and passing in the password and last change time
we avoid setting one series of values and then replacing them.  We also avoid the need to work
around the setting of anonymous.

Andrew Bartlett
2012-08-29 11:34:52 +10:00
Andrew Bartlett
a0e4bdcb5b auth/credentials: Improve memory handling in cli_credentials_set_machine_account
By using a tempoary talloc context this is much tidier and more reliable code.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
2012-08-29 03:11:09 +02:00
Andrew Bartlett
bcc29f9e73 auth/credentials: Avoid double-free in the failure case
This pointer is only valid if dbwrap_fetch returned success.

Andrew Bartlett
2012-08-29 09:09:10 +10:00
Andrew Bartlett
f873d422b1 auth/credentials: Rework credentials handling to try and find the most recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
e66fa2c813 auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Andrew Bartlett
cbc30833d6 auth/credentials: Remove extra newline 2012-07-19 04:04:20 +02:00
Andrew Bartlett
dff29e4aee auth/credentials: Look in the secrets.tdb for the machine account
This is for use with the -P/--machine-pass option.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
2012-07-15 05:41:27 +02:00
Alexander Bokovoy
dc3f74a953 auth/credentials: 'workgroup' set via command line will not drop existing ccache
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.
2012-05-24 16:21:26 +02:00
Alexander Bokovoy
ec989e7c40 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
2012-05-23 17:51:50 +03:00
Simo Sorce
302abe6190 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build 2012-05-23 17:51:49 +03:00
Andreas Schneider
5832c61c5f s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-04 16:51:29 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
a46e465ce0 s4-auth-krb: Remove unneded dependency on kerberos_util.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
b226955587 s4-auth-krb: Move keytab functions in a separate file.
Confine ldb dependency.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Simo Sorce
670dbde65e s4-auth-krb: Move function into more appropriate header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
70f1cd6724 s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Simo Sorce
b574e7cd81 s4-auth-krb: Make impersonate_principal_from_credentials static.
It's not used anywhere else.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:41 +02:00
Andrew Bartlett
292b86394f credentials: Show returned error_string in debug message 2012-02-10 15:20:33 +11:00
Andrew Bartlett
356f7989eb auth/credentials Remove debug that prints in normal operation
The fact that this function is unimplemented is unimportant to the callers
as credential caches are not handled via the auth/credentials code in s3.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan  9 03:24:36 CET 2012 on sn-devel-104
2012-01-09 03:24:36 +01:00
Andrew Bartlett
1baf916399 credentials: Always honour the return value of E_deshash()
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Andrew Bartlett
dbbb626dc0 s4-dns Use match-by-key in GSSAPI server if principal is not specified
This allows dlz_bind9 to match on exactly the same key as bind9 itself

Andrew Bartlett

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec  7 02:20:10 CET 2011 on sn-devel-104
2011-12-07 02:20:10 +01:00
Jeremy Allison
3e6e1aed94 Fix a bunch of "warning: variable ‘XXXX’ set but not used [-Wunused-but-set-variable]" warnings from the new gcc.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Nov 21 23:39:08 CET 2011 on sn-devel-104
2011-11-21 23:39:08 +01:00
Andrew Tridgell
ba41389d3d test: fixed several tests to use samba.tests
this fixes error checking. Test failures were not being detected
otherwise

Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-11-10 14:24:21 +11:00
Andrew Bartlett
5e6543ad76 build: compile gensec_start.c and credentials.c in the autoconf build
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
734e5c521c credentials: Prioritise command-line specified options above defaults from smb.conf
If a user specified -W or --realm on the command line, then this is
of level SPECIFIED, not UNINITIALISED, despite it going via the
loadparm system.

This helps us to ensure that -W server -Ulocaluser is parsed the
same as -Userver\localuser.  This matters as otherwise we might
instead attempt to use kerberos to the realm from the smb.conf.

Andrew Bartlett
2011-10-18 13:13:30 +11:00
Andrew Bartlett
534355fecf auth/credentials Declare remaining functions are public interfaces and put into credentials.h
This is in preperation for this file being used by s3, and recognises that these are all
reasonable, public interfaces but were not declared as such in the past.

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Andrew Bartlett
561d834123 auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level.  This does not change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.

Andrew Bartlett
2011-10-11 13:41:36 +11:00