1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1439 Commits

Author SHA1 Message Date
Günther Deschner
dc35442fb1 s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
Guenther
2011-03-04 01:18:42 +01:00
Jelmer Vernooij
59a077d8f5 Fix some types
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28 23:30:06 +01:00
Jelmer Vernooij
31d09b13d3 tdb: Use <tdb.h> to include tdb so system headers are found when building against system tdb. 2011-02-28 21:11:21 +01:00
Andrew Tridgell
74947964d9 build: moved spnego_parse.c into a common subsystem 2011-02-24 15:08:50 +11:00
Andrew Tridgell
8dbe665a0c build: moved schannel_sign.c into a shared COMMON_SCHANNEL subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Tridgell
d37a55548b build: moved libcli/auth/ntlmssp*.c into a common libcliauth.so library
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Andrew Bartlett
e3821f2c40 s4-auth Move libcli/security/session.c to the top level
This code is now useful in common, as the elements of the
auth_session_info structure have now been defined in common IDL.

Andrew Bartlett
2011-02-22 16:20:11 +11:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Günther Deschner
3722f65359 librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).
Simo, please check.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-14 18:54:38 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Tridgell
e26b1a6968 s4-krb5: authkrb5 should depend on ldb
this fixes the include path to add ldb

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Bartlett
d66150c14d libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
4cfee6f88e auth Move auth_sam_reply into the top level.
These functions provide conversions between some netlogon.idl and
auth.idl structures

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
7e76367e59 s4-auth Fix setting of bad_password_count in auth_convert_user_info_dc_sambaseinfo()
Discovered during the convertion to auth_user_info.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
f1c0e9532d s4-auth Add auth.idl to encode auth subsystem structures in IDL
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.

Andrew Bartlett
2011-02-09 01:11:06 +01:00
Günther Deschner
34722c72f6 pam: share pam errors in a common location.
Guenther
2011-02-08 14:05:36 +01:00
Andrew Bartlett
7faa3be453 s4-python Ensure we add the Samba python path first.
This exact form of the construction is important, and we match on it
in the installation scripts.

Andrew Bartlett
2011-02-02 15:21:12 +11:00
Matthias Dieter Wallnöfer
7b9ead17f1 s4:auth/pyauth.c - temporarily add compatibility code for Python 2.4
This patch has been commited by request of Jelmer.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Jan 30 19:07:57 CET 2011 on sn-devel-104
2011-01-30 19:07:57 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
cce5231b4d s4-gensec Add prototype for gensec_ntlmssp_init()
Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
084b4e235e libcli/auth move ntlmssp_wrap() and ntlmssp_unwrap() into common code.
The idea here is to allow the source3/libads/sasl.c code to call this
instead of the lower level ntlmssp_* functions.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
6d93af433e s4-pyauth Fix AuthContext wrapper 2011-01-19 12:29:05 +01:00
Andrew Bartlett
a7e238d322 s4-auth Allow NULL methods to be specified to auth_context_create_methods()
This allows us to init an auth context that isn't going to do any NTLM
authentication, but is used by other subsystems.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Bartlett
902e18329f s4-gensec Remove special case 'for SASL' that is not required any more.
I've examined the code paths involved, and it appears an alternative
fix has been made in the ldap_server/ldap_bind.c code, and there is no
code path that uses this behaviour.

Andrew Bartlett
2011-01-19 12:29:05 +01:00
Andrew Tridgell
bc0230be1d pygensec: remove special case handling for None for buffers
always returning a buffer makes life easier for callers

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-19 01:35:22 +01:00
Andrew Bartlett
a1e1f02efe s4-gensec Extend python bindings for GENSEC and the associated test
This now tests a real GENSEC exchange, including wrap and unwrap,
using GSSAPI.  Therefore, it now needs to access a KDC.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 18 11:41:26 CET 2011 on sn-devel-104
2011-01-18 11:41:26 +01:00
Andrew Bartlett
24a4b9a738 s4-auth Extend python bindings to allow ldb and message to be specified
This will allow for some more tokenGroups tests in future.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
08051ae29e s4-pygensec Fix indentation of py_gensec_start_mech_by_name() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
147f075c47 s4-pygensec Add bindings for server_start() and update() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
969c1b58eb s4-pyauth Add bindings for auth_context_create() as AuthContext() 2011-01-18 10:55:05 +01:00
Andrew Bartlett
017fbcdd10 s4-pyauth Use py_talloc_get_type() for greater talloc binding safety
This does a talloc check of the returned pointer before casting it.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Andrew Bartlett
9b643c8c83 s4-gensec Don't steal the auth_context, reference it.
We don't want to steal this pointer away from the caller if it's been
set up from python.

Andrew Bartlett
2011-01-18 10:55:05 +01:00
Matthias Dieter Wallnöfer
32e7d7654f s4:auth/ntlm/auth_sam.c - fix call to "get_server_info_principal"
This should obviously point to the wrapper not the call itself.

Found out by Tru64 host build warning.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 18:05:59 CET 2011 on sn-devel-104
2011-01-15 18:05:59 +01:00
Andrew Tridgell
8df6504ffe s4-auth: fixed status return
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14 16:39:33 +11:00
Andrew Bartlett
edd3b033b8 s4-auth Add get and set methods for auth_session_info python wrapper
This allows the session key, security_token and credentials to be
manipulated from python.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2011-01-14 16:39:32 +11:00
Andrew Bartlett
ece6eae4d8 s4-auth Add function to obtain any user's session_info from a given LDB
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.

(this meant moving some parts out of the auth_sam code into the
containing library)

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Andrew Bartlett
c82269cf86 s4-auth use new dsdb_expand_nested_groups()
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Stefan Metzmacher
cbf6c88aa8 s4:gensec/schannel: use netsec_outgoing_sig_size() to get the signature size
metze
2011-01-03 16:44:28 +01:00
Jelmer Vernooij
3b4fd3573e heimdal_build: Add missing dependencies when building with system heimdal.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Jan  1 04:46:35 CET 2011 on sn-devel-104
2011-01-01 04:46:35 +01:00
Matthias Dieter Wallnöfer
71d0fd88d2 s4:auth/session.h - use a forward declaration for type "struct ldb_context"
And remove the now obsolete one for "struct tevent_context"

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Dec 21 11:17:34 CET 2010 on sn-devel-104
2010-12-21 11:17:34 +01:00
Andrew Bartlett
446f8a163c s4-auth Ensure that we always copy across domain groups
Even if we can't calculate the local groups (because we don't have a
local SAM to do it with) we still need to include the domain groups in
the session_info token.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 05:56:22 +01:00
Andrew Bartlett
6f7423c7f1 s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
1961d7a411 s4-auth rework session_info handling not to require an auth context
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
94a59b781c s4-auth Remove event context from privilage database handling
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.

Andrew Bartlett
2010-12-21 15:10:38 +11:00
Andrew Bartlett
becaa18a46 s4-auth Remove obsolete comment
The code that this referred to went away in September with
7dbfeb0dc0

Andrew Bartlett
2010-12-21 15:10:37 +11:00
Matthias Dieter Wallnöfer
89522ea5b1 s4:auth/gensec/spnego.c - remove unused variable "principal" 2010-12-21 15:10:37 +11:00
Stefan Metzmacher
f126cb9eea s4:gensec/spnego: only look at the optimistic token if we support the first mech
As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.

If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
2010-12-14 16:50:49 +01:00
Jelmer Vernooij
35fbc7bbda s4-smbtorture: Make test names lowercase and dot-separated.
This is consistent with the test names used by selftest, should
make the names less confusing and easier to integrate with other tools.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
2010-12-11 04:16:13 +01:00
Andrew Bartlett
154b431093 s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec  9 08:50:28 CET 2010 on sn-devel-104
2010-12-09 08:50:27 +01:00