1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

65 Commits

Author SHA1 Message Date
Jelmer Vernooij
8d933a84c9 credentials test: Use samba.tests.subunitrun.
Change-Id: I8970c66de9535cb8d48b17d88b2759b7d1e39cb8
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
f0fa5636e3 Remove unused imports.
Change-Id: I8915f62206edb53ffc2d89434e46d9e71db8bb9a
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 02:46:03 +01:00
Andrew Bartlett
e9dc6423d3 auth/credentials: Ensure that we set the realm when reading secrets.tdb
Otherwise, we try and kinit as host$@DOMAIN and that will not work.

Andrew Bartlett

Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
35b8ed7710 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()

Andrew Bartlett

Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
89daf5dc53 credentials: Improve error message on failure to set machine account password
Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
adb3eb79ea credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account
This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.

Andrew Bartlett

Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:06 +02:00
Andrew Bartlett
4281c11e3a credentials: Allow the secrets.tdb password to be newer than the secrets.ldb password
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:37 +02:00
Günther Deschner
abc2d812f5 auth/credentials_krb5: silence a build warning.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:35 +02:00
Günther Deschner
fb2a8b34c1 auth/credentials-krb5: use get_kerberos_allowed_etypes().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Stefan Metzmacher
2aebf16ac1 auth/tests: add missing #include "torture/local/proto.h"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:44 +02:00
Michael Adam
7e766a0a8a dbwrap: add dbwrap_flags argument to dbwrap_local_open()
To be consistent with db_open() and prepare for future
possible extensions.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Stefan Metzmacher
556f66bd56 auth:credentials: avoid talloc_reference in cli_credentials_set_netlogon_creds()
Typically cli_credentials_set_netlogon_creds() should be used directly
before the DCERPC bind. And cli_credentials_get_netlogon_creds()
should be only used by the gensec layer, which only needs a copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 16 23:56:01 CEST 2013 on sn-devel-104
2013-10-16 23:56:01 +02:00
Michael Adam
f33c1c89ee auth: fix space/tab mixup in cli_credentials_get_password()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-09-20 21:07:22 -07:00
Howard Chu
b3bb304036 Prepare for SASL/EXTERNAL support
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18 19:47:55 +02:00
Andrew Bartlett
3f464ca1f5 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16 14:44:28 -07:00
Stefan Metzmacher
b055b3118d auth/credentials: make sure cli_credentials_get_nt_hash() always returns a talloc object
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-12 16:48:43 +12:00
Stefan Metzmacher
b699d404bb auth/credentials: use CRED_CALLBACK_RESULT after a callback
We only do this if it's still CRED_CALLBACK after the callback,
this allowes the callback to overwrite it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug  5 09:36:05 CEST 2013 on sn-devel-104
2013-08-05 09:36:05 +02:00
Stefan Metzmacher
8ea36a8e58 auth/credentials: simplify password_tries state
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:06 +12:00
Stefan Metzmacher
26a7420c1c auth/credentials: get the old password from secrets.tdb
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:05 +12:00
Stefan Metzmacher
9325bd9cb6 auth/credentials: keep cli_credentials private
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:05 +12:00
Stefan Metzmacher
b3cd44d50c auth/credentials: add cli_credentials_shallow_copy()
This is useful for testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:01 +12:00
Stefan Metzmacher
6ff6778bdc auth/credentials: add cli_credentials_[set_]callback_data*
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:01 +12:00
Stefan Metzmacher
b8f0922645 auth/credentials: remove pointless talloc_reference() from cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:00 +12:00
Stefan Metzmacher
9535029258 auth/credentials: remove pointless talloc_reference() from cli_credentials_get_unparsed_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:47:57 +12:00
Andrew Bartlett
fc13489c91 build: Build with system md5.h on OpenIndiana
This changes (again...) our system md5 detection to cope with how
OpenIndiana does md5.  I'm becoming increasingly convinced this isn't
worth our while (we should have just done samba_md5...), but for now
this change seems to work on FreeBSD, OpenIndiana and Linux with
libbsd.

This needs us to rename struct MD5Context -> MD5_CTX, but we provide a
config.h define to rename the type bad if MD5_CTX does not exist (it does
however exist in the md5.h from libbsd).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-19 21:32:36 +02:00
Andrew Bartlett
dc6b03ffa5 build: Remove unused credentials_samba3.c
This file was only used by the autoconf build system.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:12 +10:00
Rusty Russell
b45e3f557a secrets: use lpcfg_private_db_path() convenience helper.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-04-12 14:59:27 -07:00
Stefan Metzmacher
bf0dcc918d auth/pycredentials: make use of samba_tevent_context_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-28 12:07:53 +01:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andrew Tridgell
994696c5c4 auth: added cli_credentials_failed_kerberos_login()
this is used to support retrying kerberos connections after removing a
ccache entry, to cope with a server being re-built while our client
still has a valid service ticket

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01 15:40:40 +11:00
Andrew Bartlett
a5d57a04c2 auth/credentials: Do not print passwords in a talloc memory dump
The fact that a password was created here is enough information, so
overwrite with the function name and line.

Andrew Bartlett
2012-08-31 14:30:38 +10:00
Andrew Bartlett
5131359eda auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
2012-08-30 01:26:12 +02:00
Andrew Bartlett
17337cfec0 auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt() 2012-08-29 11:34:52 +10:00
Andrew Bartlett
beafdd6410 auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb records
By checking first if there is a secrets.tdb record and passing in the password and last change time
we avoid setting one series of values and then replacing them.  We also avoid the need to work
around the setting of anonymous.

Andrew Bartlett
2012-08-29 11:34:52 +10:00
Andrew Bartlett
a0e4bdcb5b auth/credentials: Improve memory handling in cli_credentials_set_machine_account
By using a tempoary talloc context this is much tidier and more reliable code.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 29 03:11:10 CEST 2012 on sn-devel-104
2012-08-29 03:11:09 +02:00
Andrew Bartlett
bcc29f9e73 auth/credentials: Avoid double-free in the failure case
This pointer is only valid if dbwrap_fetch returned success.

Andrew Bartlett
2012-08-29 09:09:10 +10:00
Andrew Bartlett
f873d422b1 auth/credentials: Rework credentials handling to try and find the most recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
e66fa2c813 auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Andrew Bartlett
cbc30833d6 auth/credentials: Remove extra newline 2012-07-19 04:04:20 +02:00
Andrew Bartlett
dff29e4aee auth/credentials: Look in the secrets.tdb for the machine account
This is for use with the -P/--machine-pass option.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
2012-07-15 05:41:27 +02:00
Alexander Bokovoy
dc3f74a953 auth/credentials: 'workgroup' set via command line will not drop existing ccache
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.
2012-05-24 16:21:26 +02:00
Alexander Bokovoy
ec989e7c40 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
2012-05-23 17:51:50 +03:00
Simo Sorce
302abe6190 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build 2012-05-23 17:51:49 +03:00
Andreas Schneider
5832c61c5f s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
Signed-off-by: Simo Sorce <idra@samba.org>
2012-05-04 16:51:29 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
a925c2c48d srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
f116262a73 s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00