samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00

Author	SHA1	Message	Date
Andreas Schneider	82898b87a5	s4:gensec_gssapi: Correctly handle external trusts with MIT BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab)	2017-03-14 12:18:27 +01:00
Andreas Schneider	be1e1586eb	s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname() With credentials for administrator@FOREST1.EXAMPLE.COM this patch changes the target_principal for the ldap service of host dc2.forest2.example.com from ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM to ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. The problem is that KDCs only return such referral tickets if there's a forest trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If there's only an external domain trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. In the case of an external trust the client can still ask explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of FOREST1.EXAMPLE.COM will generate it. From there the client can use the krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC of FOREST2.EXAMPLE.COM for a service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as target principal. As _krb5_get_cred_kdc_any() first calls get_cred_kdc_referral() (which always starts with the client realm) and falls back to get_cred_kdc_capath() (which starts with the given realm). MIT krb5 only tries the given realm of the target principal, if we want to autodetect support for transitive forest trusts, we'll have to do the fallback ourself. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd)	2017-03-14 12:18:27 +01:00
Andreas Schneider	43bc67a79b	s4:gensec_gssapi: Move setup of service_principal to update function BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6)	2017-03-14 12:18:27 +01:00
Andreas Schneider	825bfed5cb	s4:gensec-gssapi: Create a helper function to setup server_principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a)	2017-03-14 12:18:27 +01:00
Stefan Metzmacher	202604daaa	s4:gensec_gssapi: require a realm in gensec_gssapi_client_start() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46)	2017-03-14 12:18:26 +01:00
Stefan Metzmacher	22e473e2e5	s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname() If gensec_get_target_principal() has a value, we no longer have to verify the gensec_get_target_hostname() value, it can be just an ipadress. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04)	2017-03-14 12:18:26 +01:00
Volker Lendecke	efb5f38f1f	auth4: Use "all_zero" where appropriate ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>	2017-01-03 16:04:29 +01:00
Andreas Schneider	fd98174443	auth/gensec: Fix typo in log message Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
David Mulder	99d8788028	auth/gensec: Remove unneeded cli_credentials_set_conf() call The cli_credentials_set_client_gss_creds() will set the correct realm from the gss creds. Pair-Programmed-With: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: David Mulder <dmulder@suse.com> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2016-12-24 17:16:06 +01:00
Stefan Metzmacher	6459543b5a	CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>	2016-12-20 07:51:14 +01:00
Garming Sam	683fcad3ca	doc: Add doxygen for functions in srv_keytab.c Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882	2016-11-22 02:10:16 +01:00
Garming Sam	b02da11498	s4-auth: Don't check for NULL saltPrincipal if it doesn't need it This check causes 4.1 domains to be unable to change their DNS backend correctly as they do not have the saltPrincipal value stored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-11-22 02:10:16 +01:00
Stefan Metzmacher	558e78c7e3	s4:gensec_gssapi: We need to use the users realm in the target_principal This is important in order to let the kdc of the users realm start with the trust referral routing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-11-15 11:00:26 +01:00
Stefan Metzmacher	f0afefefe4	s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size() We need to calculate the signature length based on the negotiated flags. This is most important on the server side where, gss_accept_sec_context() doesn't get gss_want_flags, but fills gss_got_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Stefan Metzmacher	cca980eb51	s4:gensec_krb5: also report support for GENSEC_FEATURE_SIGN as krb5_mk_priv() provides sign and seal Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Andreas Schneider	28eae08ef7	gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT Kerberos Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144	2016-09-29 11:56:41 +02:00
Andreas Schneider	64b2b0dacd	gensec_krb5: Create a MIT Kerberos gensec_krb5_session_info() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>	2016-09-29 08:02:18 +02:00
Volker Lendecke	0a42a4c14b	wbclient: "ev" is no longer used in wbc_sids_to_xids Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-09-28 00:04:36 +02:00
Andreas Schneider	4a8b588dc0	gensec_krb5: Do not leak memory of target_principal CID 1372504 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 9 04:20:04 CEST 2016 on sn-devel-144	2016-09-09 04:20:04 +02:00
Andreas Schneider	2ac297562f	krb5_wrap: Rename kerberos_kinit_s4u2_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	696cfcb3c0	krb5_wrap: Rename kerberos_kinit_password_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	15c5dd700c	krb5_wrap: Rename kerberos_kinit_keyblock_cc() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:16 +02:00
Andreas Schneider	1877950250	krb5_wrap: Rename get_krb5_smb_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:14 +02:00
Andreas Schneider	e8632e2af5	krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	81917a1162	krb5_wrap: Rename setup_kaddr() Use a better and consistent name and switch the arguments to reflect the name. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	faa3bef690	gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144	2016-08-30 15:24:02 +02:00
Andreas Schneider	7f9a075d9c	gensec_krb5: Use implementation idependent krb5_mk_req_extended() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	739a7adaef	gensec_krb5: Use kerberos_free_data_contents() to free krb5 data Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	8268501972	gensec_krb5: Only set the event context with Heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	7ea7b60649	gensec_krb5: Use krb5_wrap setup_kaddr() to convert address Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:15 +02:00
Andreas Schneider	ab8628ac7a	gensec_krb5: Rename smb_rd_req_return_stuff() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Andreas Schneider	de224d7006	gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-30 11:34:14 +02:00
Stefan Metzmacher	8b1f5cad95	auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-07-22 23:34:22 +02:00
Stefan Metzmacher	3eba60aa65	auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6 This includes user_principal_name and dns_domain_name. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	b67ea0e123	s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	6257003dff	s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc() This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO correctly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	432e83bf5b	s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal() This is more generic and matches all other places. As this is only used in the KDC it's not a real logic change. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:26 +02:00
Stefan Metzmacher	853c2a6d8a	s4:auth/sam: update the logonCount for interactive logons Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	869616ceb9	s4:auth/sam: don't update lastLogon just because it's 0 currently Non interactive logons doesn't trigger an update unless the (effective) badPwdCount is not 0 and lockoutTime is 0. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	1acd477960	s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already Non interactive logons doesn't reset badPwdCount to 0 when the effective badPwdCount is already 0 (with (badPasswordTime + lockOutObservationWindows) < now). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	b73cb40dd2	s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Stefan Metzmacher	9be4860511	s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change() The logic in samdb_result_force_password_change() is incomplete and the correct logic is already available via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Andreas Schneider	a737efe2bd	s4-ntlm: Fix a NULL pointer dereference in error path Found by clang compiler. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 22 23:21:33 CEST 2016 on sn-devel-144	2016-06-22 23:21:33 +02:00
Stefan Metzmacher	d247dceaaa	s4:auth_anonymous: anonymous authentication doesn't allow a password BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:16 +02:00
Stefan Metzmacher	8704958fb3	s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-28 16:51:15 +02:00
Stefan Metzmacher	4c4829634f	CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:23 +02:00
Stefan Metzmacher	0f6713826d	s4:pygensec: make sig_size() and sign/check_packet() available Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-03-10 06:52:27 +01:00
Aurelien Aptel	34ae5c5083	s4/auth/ntlm/auth_unix.c: add parens operator \| has lower precedence than ?: so add parens to have the expected result. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>	2016-03-10 00:08:11 +01:00
Andrew Bartlett	ffc7536330	pyauth: Use pytalloc_BaseObject_PyType_Ready() This changes pyauth to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00
Andrew Bartlett	0f35167d76	pygensec: Use pytalloc_BaseObject_PyType_Ready() This changes pygensec to use talloc.BaseObject() just like the PIDL output Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-03-08 01:58:29 +01:00

1 2 3 4 5 ...

1828 Commits