IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Not currently used - no logic changes inside.
This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.
Updated all known module interface numbers, and added a
WHATSNEW.
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
The wscript_build files convey what header files belong to which
logical package. For example,
# lib/util/wscript_build:
bld.SAMBA_LIBRARY('samba-util',
public_headers='... data_blob.h ...'
# auth/credentials/wscript_build:
bld.SAMBA_LIBRARY('samba-credentials',
public_headers='credentials.h',
Now, credentials.h #includes <util/data_blob.h> and therefore,
samba-credentials.pc must have a Requires: samba-util.
Similarly for other parts.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This will allow tests to be written to confirm the correct events are triggered.
We pass in a messaging context from the callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This will help avoid a dep loop when the low-level auth code relies on the message
code to deliver authentication messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We typically do not want a lot of logging of anonymous access, as this is often
simple a preperation for authenticated access, so we make that level 5.
Bad passwords remain at level 2, successful password authentication is level 3
and successful authorization (eg kerberos login to SMB) is level 4.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Add a human readable authentication log line, to allow
verification that all required details are being passed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This will allow the authentication log to indicate clearly how the password was
supplied to the server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This allows the GENSEC service description to be read at authentication time
for logging, eg that the user authenticated to the SAMR server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This will allow a very verbose JSON line to be logged that others can audit from in the future
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
So far this is only on the AD DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Update a few wscript_build files to build Python 3-compatible modules
for Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Port Python bindings of samba.credentials module to
Python3-compatible form using macros from py3compat.h.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Without inlining the function, GCC doesn't know that
gensec_ntlmssp->ntlmssp_state->role always has a valid value.
With inlining, this is obviously redundant but GCC clearly knows
enough to detect this and elide the default case.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
coverity fix.
cli_credentials_set_principal does a strdup, we want to free 'name'
regardless of the result in 'ok'.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This sets the default principal on the copied ccache if it hasn't been
set yet.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
These files should not be executable.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
We now first just remember the domain, realm, username, password values
(the last value wins).
At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.
It means the last 'username' line beats the domain, realm or password lines, e.g.:
username=USERDOMAIN\username
domain=DOMAIN
will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:
username=DOMAIN/username
password=password
domain=DOMAIN
This change allows us to parse the same.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we reset username we need to reset principal if it was set at the same level.
If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
