1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

368 Commits

Author SHA1 Message Date
Stefan Metzmacher
99ffef3de2 auth/gensec: convert external.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
ac6083eb72 auth/gensec: convert ncalrpc.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
b8abd4a8a2 auth/gensec: convert schannel.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Stefan Metzmacher
c9f5a89809 auth/gensec: remove unused prototype headers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:14 +01:00
Andreas Schneider
f981e2c980 credentials: Create a smb_gss_krb5_copy_ccache() function
This sets the default principal on the copied ccache if it hasn't been
set yet.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:13 +01:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Andreas Schneider
30c0706530 auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
2a2c03c655 auth/credentials: remove const where we always return a talloc string
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Andreas Schneider
630867196b auth/credentials: Add missing error code check for MIT Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-24 17:16:06 +01:00
Andreas Schneider
ae5e654f88 auth/credentials: Add NULL check to free_dccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
c406bf6cd6 auth/credentials: Add NULL check in free_mccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
d1ad71ef9f auth/credentials: Move function to free ccaches to the top
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Andreas Schneider
59cc352ac6 auth/credentials: Add talloc NULL check in cli_credentials_set_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 13:52:09 +01:00
Stefan Metzmacher
ab25cdfa9d CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.

Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
05e8bfdc95 auth/credentials: change the parsing order of cli_credentials_parse_file()
We now first just remember the domain, realm, username, password values
(the last value wins).

At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.

It means the last 'username' line beats the domain, realm or password lines, e.g.:

 username=USERDOMAIN\username
 domain=DOMAIN

will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
d487591f0b auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()
Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:

  username=DOMAIN/username
  password=password
  domain=DOMAIN

This change allows us to parse the same.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
eaf3d44641 auth/credentials: let cli_credentials_parse_string() always reset principal and realm
If we reset username we need to reset principal if it was set at the same level.

If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
6b18ac6915 auth/credentials: let cli_credentials_parse_string() always reset username and domain
If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
dab9456cfc auth/credentials: handle situations without a configured (default) realm
We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.

At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".

If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
username@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
7c344fbbe0 auth/credentials: add python bindings for enum credentials_obtained
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
df652c3ede auth/credentials: add py_creds_parse_file()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:24 +01:00
Stefan Metzmacher
1565469bf2 auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related logic
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:23 +01:00
Stefan Metzmacher
a3f03df706 auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:23 +01:00
Stefan Metzmacher
8415cca557 auth/credentials: make use of talloc_zero() in cli_credentials_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-20 01:11:23 +01:00
Stefan Metzmacher
182d5e73a9 auth/credentials: clear all unused blobs in cli_credentials_get_ntlm_response()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
4c9462f93b auth/credentials: fix cut'n'paste error in cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
5d4aa22f55 auth/credentials: let cli_credentials_parse_string() handle the "winbind separator"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
fee23c33ae auth/credentials: make cli_credentials_get_ntlm_response() more robust
We always provide each output blob as it's own talloc memory
and also check for talloc failures.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:26 +01:00
Stefan Metzmacher
02f79060a0 auth/credentials: anonymous should not have a user principal
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:26 +01:00
Andrew Bartlett
6539d4997f pycredentials: Add bindings for {get,set}_principal, get_ntlm_username_domain
These will be used in testsuite for the credentials code

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-11-06 23:53:10 +01:00
Stefan Metzmacher
81b0912863 auth/gensec: handle DCERPC_AUTH_LEVEL_PACKET similar to DCERPC_AUTH_LEVEL_INTEGRITY
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
5204ad6a14 auth/gensec: only require GENSEC_FEATURE_SIGN for DCERPC_AUTH_LEVEL_INTEGRITY as client
On the server this check is deferred to the first request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
5db81a1101 auth/gensec: always verify the wanted SIGN/SEAL flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
77adac8c3c auth/ntlmssp: always allow NTLMSSP_NEGOTIATE_{SIGN,SEAL} in gensec_ntlmssp_server_start()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Stefan Metzmacher
6fb4453d1e gensec/spnego: remember the wanted features also on the main gensec context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Günther Deschner
a5264b187b mit: make it possible to build with MIT kerberos and --picky-developer
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-09-29 08:02:18 +02:00
Volker Lendecke
8dc6fbbf45 auth: One const is enough...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Sep  9 20:33:10 CEST 2016 on sn-devel-144
2016-09-09 20:33:10 +02:00
Stefan Metzmacher
9b45ba5cd5 gensec/spnego: work around missing server mechListMIC in SMB servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Sep  2 18:10:44 CEST 2016 on sn-devel-144
2016-09-02 18:10:43 +02:00
Andreas Schneider
2622e16d76 krb5_wrap: Rename get_kerberos_allowed_etypes()
Use consistent naming.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Alexander Bokovoy
f5e749414f Wrap krb5_cc_copy_creds and krb5_cc_copy_cache
Heimdal and MIT Kerberos have different API to copy credentials from a
ccache. Wrap it via lib/krb5_wrap/.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jul 25 21:27:58 CEST 2016 on sn-devel-144
2016-07-25 21:27:57 +02:00
Stefan Metzmacher
8b1f5cad95 auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:22 +02:00
Stefan Metzmacher
2d9958e46c auth/credentials: also do a shallow copy of the krb5_ccache.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:20 +02:00
Stefan Metzmacher
67404bac52 pycredentials: add set_utf16_[old_]password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 16:03:26 +02:00
Stefan Metzmacher
a5591e597d pycredentials: add {get,set}_old_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 16:03:26 +02:00
Christof Schmitt
20319ba51e gensec: Change log level for message when obtaining PAC from gss_get_name_attribute failed
This is the second part for the issue from commit 8bb4fccd. A KDC that
does not return a PAC first triggers this message, then the "resorting
to local user lookup" one. Change the log level for the "obtaining PAC
via GSSAPI gss_get_name_attribute" message as well to avoid spamming the
logs during normal usage. While changing this message, also remove the
discard_const since it is no longer required.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  6 04:27:03 CEST 2016 on sn-devel-144
2016-07-06 04:27:03 +02:00
Uri Simchoni
77f3730295 auth: fix a memory leak in gssapi_get_session_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006

Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Wed Jul  6 00:40:15 CEST 2016 on sn-devel-144
2016-07-06 00:40:15 +02:00
Garming Sam
2840ebc76f typo: mandetory -> mandatory
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:15 +02:00
Stefan Metzmacher
4406cf792a krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
2016-06-30 07:16:45 +02:00
Stefan Metzmacher
74bccb3be1 auth/auth_sam_reply: make auth_convert_user_info_dc_sambaseinfo() a private helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00
Stefan Metzmacher
49bc18f5d2 auth/auth_sam_reply: do a real copy of strings in auth_convert_user_info_dc_sambaseinfo()
That's much more expected by callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00