samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

Author	SHA1	Message	Date
Garming Sam	683fcad3ca	doc: Add doxygen for functions in srv_keytab.c Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882	2016-11-22 02:10:16 +01:00
Garming Sam	b02da11498	s4-auth: Don't check for NULL saltPrincipal if it doesn't need it This check causes 4.1 domains to be unable to change their DNS backend correctly as they do not have the saltPrincipal value stored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-11-22 02:10:16 +01:00
Stefan Metzmacher	558e78c7e3	s4:gensec_gssapi: We need to use the users realm in the target_principal This is important in order to let the kdc of the users realm start with the trust referral routing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-11-15 11:00:26 +01:00
Stefan Metzmacher	f0afefefe4	s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size() We need to calculate the signature length based on the negotiated flags. This is most important on the server side where, gss_accept_sec_context() doesn't get gss_want_flags, but fills gss_got_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Stefan Metzmacher	cca980eb51	s4:gensec_krb5: also report support for GENSEC_FEATURE_SIGN as krb5_mk_priv() provides sign and seal Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Andreas Schneider	28eae08ef7	gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144	2016-09-29 11:56:41 +02:00
Andreas Schneider	64b2b0dacd	gensec_krb5: Create a MIT Kerberos gensec_krb5_session_info() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>	2016-09-29 08:02:18 +02:00
Volker Lendecke	0a42a4c14b	wbclient: "ev" is no longer used in wbc_sids_to_xids Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-09-28 00:04:36 +02:00
Andreas Schneider	4a8b588dc0	gensec_krb5: Do not leak memory of target_principal CID 1372504 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 9 04:20:04 CEST 2016 on sn-devel-144	2016-09-09 04:20:04 +02:00
Andreas Schneider	2ac297562f	krb5_wrap: Rename kerberos_kinit_s4u2_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	696cfcb3c0	krb5_wrap: Rename kerberos_kinit_password_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	15c5dd700c	krb5_wrap: Rename kerberos_kinit_keyblock_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	1877950250	krb5_wrap: Rename get_krb5_smb_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:14 +02:00
Andreas Schneider	e8632e2af5	krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	81917a1162	krb5_wrap: Rename setup_kaddr() Use a better and consistent name and switch the arguments to reflect the name. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	faa3bef690	gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144	2016-08-30 15:24:02 +02:00
Andreas Schneider	7f9a075d9c	gensec_krb5: Use implementation idependent krb5_mk_req_extended() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	739a7adaef	gensec_krb5: Use kerberos_free_data_contents() to free krb5 data Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	8268501972	gensec_krb5: Only set the event context with Heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	7ea7b60649	gensec_krb5: Use krb5_wrap setup_kaddr() to convert address Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	ab8628ac7a	gensec_krb5: Rename smb_rd_req_return_stuff() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Andreas Schneider	de224d7006	gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Stefan Metzmacher	8b1f5cad95	auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-07-22 23:34:22 +02:00
Stefan Metzmacher	3eba60aa65	auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6 This includes user_principal_name and dns_domain_name. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	b67ea0e123	s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	6257003dff	s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	432e83bf5b	s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal() This is more generic and matches all other places. As this is only used in the KDC it's not a real logic change. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	853c2a6d8a	s4:auth/sam: update the logonCount for interactive logons Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	869616ceb9	s4:auth/sam: don't update lastLogon just because it's 0 currently Non interactive logons doesn't trigger an update unless the (effective) badPwdCount is not 0 and lockoutTime is 0. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	1acd477960	s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already Non interactive logons doesn't reset badPwdCount to 0 when the effective badPwdCount is already 0 (with (badPasswordTime + lockOutObservationWindows) < now). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	b73cb40dd2	s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Stefan Metzmacher	9be4860511	s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change() The logic in samdb_result_force_password_change() is incomplete and the correct logic is already available via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Andreas Schneider	a737efe2bd	s4-ntlm: Fix a NULL pointer dereference in error path Found by clang compiler. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 22 23:21:33 CEST 2016 on sn-devel-144	2016-06-22 23:21:33 +02:00
Stefan Metzmacher	d247dceaaa	s4:auth_anonymous: anonymous authentication doesn't allow a password BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:16 +02:00
Stefan Metzmacher	8704958fb3	s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:15 +02:00
Stefan Metzmacher	4c4829634f	CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:23 +02:00
Stefan Metzmacher	0f6713826d	s4:pygensec: make sig_size() and sign/check_packet() available Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-03-10 06:52:27 +01:00
Aurelien Aptel	34ae5c5083	s4/auth/ntlm/auth_unix.c: add parens operator \| has lower precedence than ?: so add parens to have the expected result. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>	2016-03-10 00:08:11 +01:00
Andrew Bartlett	ffc7536330	pyauth: Use pytalloc_BaseObject_PyType_Ready() This changes pyauth to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00
Andrew Bartlett	0f35167d76	pygensec: Use pytalloc_BaseObject_PyType_Ready() This changes pygensec to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00
Andrew Bartlett	ec5d63f9ed	pygensec: Use pytalloc_steal() in gensec_start_{client,server}() This is better than casting to get to the pytalloc_Object structure directly Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00
Michael Adam	476672b647	dlist: remove unneeded type argument from DLIST_ADD_END() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-02-06 21:48:17 +01:00
Jelmer Vernooĳ	da8674c72a	Rename 'errors' to 'samba-errors' and make it public. This is necessary because it has public headers. Signed-off-by: Jelmer Vernooĳ <jelmer@jelmer.uk> Reviewed-By: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144	2016-01-13 07:47:04 +01:00
Jelmer Vernooij	773cfba9af	Avoid including libds/common/roles.h in public loadparm.h header. Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-By: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Stefan Metzmacher <metze@samba.org>	2016-01-13 04:43:23 +01:00
Andrew Bartlett	0e58705a5b	python: Remove Python 2.4 support macros We require Python 2.6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooĳ <jelmer@samba.org>	2016-01-07 23:33:10 +01:00
Volker Lendecke	b7f0e29fd2	lib: Use asn1_current_ofs() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-01-06 00:54:18 +01:00
Volker Lendecke	a93946b2fe	lib: Use asn1_extract_blob() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-01-06 00:54:18 +01:00
Volker Lendecke	8cfb6a3139	lib: Use asn1_set_error() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-01-06 00:54:18 +01:00
Volker Lendecke	57a0bc9a9f	lib: Use asn1_has_error() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-01-06 00:54:18 +01:00
Douglas Bagnall	795f4729ca	auth: keep track of lastLogon and lastLogonTimestamp lastLogon is supposed to be updated for every interactive or kerberos login, and (according to testing against Windows2012r2) when the bad password count is non-zero but the lockout time is zero. It is not replicated. lastLogonTimestamp is updated if the old value is more than 14 - random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The 14 in this calculation is the default, stored as "msDS-LogonTimeSyncInterval", which we offer no interface for changing. The authsam_zero_bad_pwd_count() function is a convenient place to update these values, as it is called upon a successful logon however that logon is performed. That makes the function's name inaccurate, so we rename it authsam_logon_success_accounting(). It also needs to be told whet5her the login is interactive. The password_lockout tests are extended to test lastLogon and lasLogonTimestamp. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>	2015-12-15 00:08:57 +01:00

1 2 3 4 5 ...

1818 Commits