The branch, master has been updated
via 6411faf auth/gensec: align common elements between gse_context and
gensec_gssapi_state
via e249bdd s3-gse: align common elements between gse_context and
gensec_gssapi_state
via 6727978 s3-gensec: Add hook to allow gensec to know if kerberos is
permitted
via 45ec777 s3-gse: Make gensec_gse cope with non-DCE GSSAPI
via 545c1ad s3-gse: the server should not check for GSS_C_MUTUAL_FLAG
via c5864de s3-gse: verify that we got GSS_C_DCE_STYLE when expected
via ed88012 s3-gse Remove authenticated flag from gse
via c759097 s3-gse remove special more_processing hook from gse
via 5b90bcf s3-gse Rename gss_c_flags and ret_flags in gse
via cf39b63 s3-gse Rename gss_ctx to match gensec_gssapi_context
via e8c8d29 s3-gse Rename delegated_creds to match gensec_gssapi_context
via 40715e1 s3-librpc: pass struct ndr_interface_table down to
cli_pipe_open_generic/spnego()
via 9729bdf s3-utils/net: pass struct ndr_interface_table down
via 34d5253 s3-rpcclient: pass struct ndr_interface_table down
via c62af4f s3-librpc Make cli_rpc_pipe_open_spnego_ntlmssp() generic
via f14bcdf s3-gse gss_wrap_iov_length() only needs the type and length
via 23a062b s3-gse Make seal parameter a boolean for clarity
via f2efb0f s3-librpc Remove special case for spnego session key
via 1818612 s3-librpc Remove special case for spnego dcerpc sign/seal
via ad14b8c s3-gse Move GSS_C_DCE_STYLE backup definition to gse.c
via 0132cca s3-gse Add const
via 90efbe0 s3-gse Remove or make static unused/local-only GSE functions
via 1b5870a s3-librpc Remove unused dcesrv_gssapi.[ch] functions
via f70c9fb s3-librpc Remove layer around struct gensec_security
via 5ddec11 s3-librpc: Simplify SPNEGO code now that all mechs use a
struct gensec_security
via 0c1b4c2 s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and
gensec
via 53cc9c6 s3-librpc Allow spnego_generic_init_client to handle
kerberos too
via e012ad9 s3-librpc Call GSSAPI via the auth_generic layer and gensec
via 1b63562 s3-libsmb Use the gse_krb5 gensec module as client
via d95d591 s3-gse Make gse available as a gensec client module
via 60e1aa7 s3-build: Rework object lists to allow gse gensec module
via cbd8231 s3-gse: Add gensec wrapper for gse GSSAPI client
via 43092cc s3-auth Match session setup handling of krb5, store the PAC
via f8c9ae3 s3-auth Add auth hook for PAC parsing
from d2bf6af s3: Use lock_order for setting the db priority
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6411faf379e002605f5397c693d11760ba615abc
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:52:13 2012 +1100
auth/gensec: align common elements between gse_context and
gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <[email protected]>
Autobuild-User: Stefan Metzmacher <[email protected]>
Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
commit e249bdd32ef9d6342901c596bba825c731d96180
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:52:13 2012 +1100
s3-gse: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 67279780dd5742397918b532b4bc5e89072ab82d
Author: Andrew Bartlett <[email protected]>
Date: Thu Jan 12 21:16:36 2012 +1100
s3-gensec: Add hook to allow gensec to know if kerberos is permitted
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 45ec777e0ea78a1194980624ac9127a42b4b29fe
Author: Andrew Bartlett <[email protected]>
Date: Sat Jan 14 11:40:18 2012 +1100
s3-gse: Make gensec_gse cope with non-DCE GSSAPI
The validation of the mutual authentication reply produces no further
data to send to the server.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 545c1ad1b939015b618a1a979c435dbba70845bd
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 14 11:28:28 2012 +0100
s3-gse: the server should not check for GSS_C_MUTUAL_FLAG
It up to the client to ask for GSS_C_MUTUAL_FLAG,
except for the dcerpc case, where the server is stricter.
metze
commit c5864deadcd24dcf1f9a99607deacc635e091fd4
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 14 11:27:21 2012 +0100
s3-gse: verify that we got GSS_C_DCE_STYLE when expected
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it.
metze
commit ed88012dd22c330117ed81c9adcc9e5c6e545bf8
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:39:17 2012 +1100
s3-gse Remove authenticated flag from gse
The only user for this flag is called only directly after it was set.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit c7590979567008708af6fa9f4eba71001c404f91
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:36:58 2012 +1100
s3-gse remove special more_processing hook from gse
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec
is expecting in any case.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 5b90bcf83bccd3462056c165d7581098c97e1b08
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:29:01 2012 +1100
s3-gse Rename gss_c_flags and ret_flags in gse
This make it clearer what type of flags these are and matches
gensec_gssapi
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit cf39b63a7bd17f34e27b8b661776ff8e58371fbb
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:18:16 2012 +1100
s3-gse Rename gss_ctx to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <[email protected]>
commit e8c8d293d80ca41312ab03c017490551dc978b7b
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 11 11:17:26 2012 +1100
s3-gse Rename delegated_creds to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 40715e1251dc27a677c1b0b894406b6d86e391f0
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 10 21:53:42 2012 +1100
s3-librpc: pass struct ndr_interface_table down to
cli_pipe_open_generic/spnego()
This allows the target service (as determined from the IDL) to be
passed to GSSAPI (rather than the current, incorrect, "cifs").
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 9729bdf89f20998823a1dda9e215647a49ca76a6
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 10 21:53:42 2012 +1100
s3-utils/net: pass struct ndr_interface_table down
This will allow the target service (as determined from the IDL) to be
passed to GSSAPI (rather than the current, incorrect, "cifs").
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 34d52532b588497ea0306de59eabdd36c00242bf
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 10 21:53:42 2012 +1100
s3-rpcclient: pass struct ndr_interface_table down
This will allow the target service (as determined from the IDL) to be
passed to GSSAPI (rather than the current, incorrect, "cifs").
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit c62af4f6526d5b4a47b70ecfc4c1c03b1b64cf18
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 10 21:03:02 2012 +1100
s3-librpc Make cli_rpc_pipe_open_spnego_ntlmssp() generic
This also avoids passing NULL as the server to
gensec_set_target_hostname() in spnego_generic_init_client().
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit f14bcdf8ec894d77f80e532859c2c7170406eaad
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 6 16:58:51 2012 +0100
s3-gse gss_wrap_iov_length() only needs the type and length
metze
commit 23a062b51bf3a2a9bd5f406dd90a5655299cb077
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 4 00:42:35 2012 +1100
s3-gse Make seal parameter a boolean for clarity
Signed-off-by: Stefan Metzmacher <[email protected]>
commit f2efb0f6a3536d9aa84932f6997de39f0adf5b90
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 3 22:00:11 2012 +1100
s3-librpc Remove special case for spnego session key
SPNEGO is implemented only in terms of gensec mechanisms now.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 1818612830576419889ff5702d5e85fa63ddb121
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 3 21:54:49 2012 +1100
s3-librpc Remove special case for spnego dcerpc sign/seal
SPNEGO is implemented only in terms of gensec mechanisms now.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit ad14b8c655f1ae02b2d2b854ab6bda4480c5f8ca
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 21:04:57 2012 +1100
s3-gse Move GSS_C_DCE_STYLE backup definition to gse.c
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 0132cca82599839ebb736e7eb32889a8cc9c91b7
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 20:38:31 2012 +1100
s3-gse Add const
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 90efbe0fad590150ad6586c038f9e3ac84780c45
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 20:30:41 2012 +1100
s3-gse Remove or make static unused/local-only GSE functions
The GSE layer is now used via the GENSEC module, so we do not need these
functions exposed any more.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 1b5870a6d13d0972bb8ffea0be1793c20b1afe30
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 20:30:41 2012 +1100
s3-librpc Remove unused dcesrv_gssapi.[ch] functions
The code from dcesrv_gssapi.c is now
in source3/auth/auth_generic.c as an auth callback.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit f70c9fb76c8d6fbe8585a644a408e1ff29596b9f
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 15:50:07 2012 +1100
s3-librpc Remove layer around struct gensec_security
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 5ddec1182ec378e4560f0d98604060fdc4b6f542
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 15:48:09 2012 +1100
s3-librpc: Simplify SPNEGO code now that all mechs use a struct
gensec_security
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 0c1b4c232135ebdef58bb5e697dfc60ddbb358bc
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 15:38:38 2012 +1100
s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing
with a struct gensec_security, and allows the gensec module being
used to implement GSSAPI to be swapped for AD-server operation.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 53cc9c6a3016b6ba95f280eb68600bdc21a6eed7
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 15:26:15 2012 +1100
s3-librpc Allow spnego_generic_init_client to handle kerberos too
Signed-off-by: Stefan Metzmacher <[email protected]>
commit e012ad9d8b7cea3a86841fe92b80627a6d07d459
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 13:06:29 2012 +1100
s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a
struct gensec_security, and allows the gensec module being used to
implement GSSAPI to be swapped when required for AD-server operation.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 1b6356298ceeb21ebcb125e239316fb29ff623fc
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 20:22:38 2012 +1100
s3-libsmb Use the gse_krb5 gensec module as client
Signed-off-by: Stefan Metzmacher <[email protected]>
commit d95d59138c6dc255f433e4d3c88b8afbc9ea0b26
Author: Andrew Bartlett <[email protected]>
Date: Mon Jan 2 20:22:38 2012 +1100
s3-gse Make gse available as a gensec client module
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 60e1aa701c18a0871d94f74f565b9abaa41c0de9
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 3 00:52:06 2012 +0100
s3-build: Rework object lists to allow gse gensec module
This also allows the spnego_parse_krb5_wrap() function to be shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit cbd8231e342b1af8194e72fa3bd21fd91691cd1f
Author: Andrew Bartlett <[email protected]>
Date: Wed Dec 28 09:55:55 2011 +1100
s3-gse: Add gensec wrapper for gse GSSAPI client
This brings in part of the s4 gensec_gssapi as the boilerplate for the
new module.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 43092ccf266b93b71bca98cc0324dbc1644a092a
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 10 22:01:44 2012 +1100
s3-auth Match session setup handling of krb5, store the PAC
This will allow non-krb5 services to get the full user groups
without need to do an online s4u2self.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit f8c9ae3615cf0c463bd2bff1531894612b574930
Author: Andrew Bartlett <[email protected]>
Date: Sat Dec 31 22:57:18 2011 +1100
s3-auth Add auth hook for PAC parsing
This will allow gensec_gse to parse the PAC.
This is a copy from source3/rpc_server/dcesrv_generic.c to preserve
behaviour. A future commit will enable the samlogon cache.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec_gssapi.h | 8 +-
source3/Makefile.in | 63 ++--
source3/auth/auth_generic.c | 164 +++++++-
source3/librpc/crypto/cli_spnego.c | 209 ++--------
source3/librpc/crypto/gse.c | 740 +++++++++++++++++++++-----------
source3/librpc/crypto/gse.h | 49 +--
source3/librpc/crypto/spnego.h | 22 +-
source3/librpc/rpc/dcerpc_helpers.c | 250 +----------
source3/libsmb/auth_generic.c | 7 +-
source3/libsmb/passchange.c | 2 +-
source3/rpc_client/cli_pipe.c | 259 ++----------
source3/rpc_client/cli_pipe.h | 29 +-
source3/rpc_client/cli_pipe_schannel.c | 7 +-
source3/rpc_server/dcesrv_gssapi.c | 223 ----------
source3/rpc_server/dcesrv_gssapi.h | 42 --
source3/rpc_server/dcesrv_spnego.c | 74 +---
source3/rpc_server/srv_pipe.c | 151 +------
source3/rpc_server/wscript_build | 2 +-
source3/rpcclient/cmd_dfs.c | 12 +-
source3/rpcclient/cmd_drsuapi.c | 6 +-
source3/rpcclient/cmd_dssetup.c | 2 +-
source3/rpcclient/cmd_echo.c | 8 +-
source3/rpcclient/cmd_epmapper.c | 4 +-
source3/rpcclient/cmd_eventlog.c | 16 +-
source3/rpcclient/cmd_lsarpc.c | 64 ++--
source3/rpcclient/cmd_netlogon.c | 44 +-
source3/rpcclient/cmd_ntsvcs.c | 14 +-
source3/rpcclient/cmd_samr.c | 70 ++--
source3/rpcclient/cmd_spoolss.c | 72 ++--
source3/rpcclient/cmd_srvsvc.c | 26 +-
source3/rpcclient/cmd_winreg.c | 6 +-
source3/rpcclient/cmd_wkssvc.c | 10 +-
source3/rpcclient/rpcclient.c | 65 ++--
source3/rpcclient/rpcclient.h | 2 +-
source3/utils/net.h | 2 +-
source3/utils/net_dom.c | 12 +-
source3/utils/net_printing.c | 2 +-
source3/utils/net_proto.h | 2 +-
source3/utils/net_rpc.c | 137 +++---
source3/utils/net_rpc_audit.c | 10 +-
source3/utils/net_rpc_conf.c | 26 +-
source3/utils/net_rpc_registry.c | 22 +-
source3/utils/net_rpc_rights.c | 12 +-
source3/utils/net_rpc_samsync.c | 14 +-
source3/utils/net_rpc_service.c | 16 +-
source3/utils/net_rpc_sh_acct.c | 16 +-
source3/utils/net_rpc_shell.c | 4 +-
source3/utils/ntlm_auth.c | 39 --
source3/winbindd/winbindd_cm.c | 25 +-
source3/wscript_build | 15 +-
50 files changed, 1209 insertions(+), 1867 deletions(-)
delete mode 100644 source3/rpc_server/dcesrv_gssapi.c
delete mode 100644 source3/rpc_server/dcesrv_gssapi.h
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec_gssapi.h b/auth/gensec/gensec_gssapi.h
index 4a64762..97c5491 100644
--- a/auth/gensec/gensec_gssapi.h
+++ b/auth/gensec/gensec_gssapi.h
@@ -37,19 +37,21 @@ enum gensec_gssapi_sasl_state
struct gensec_gssapi_state {
gss_ctx_id_t gssapi_context;
- struct gss_channel_bindings_struct *input_chan_bindings;
gss_name_t server_name;
gss_name_t client_name;
OM_uint32 gss_want_flags, gss_got_flags;
+
+ gss_cred_id_t delegated_cred_handle;
+
+ /* gensec_gssapi only */
gss_OID gss_oid;
+ struct gss_channel_bindings_struct *input_chan_bindings;
struct smb_krb5_context *smb_krb5_context;
struct gssapi_creds_container *client_cred;
struct gssapi_creds_container *server_cred;
gss_krb5_lucid_context_v1_t *lucid;
- gss_cred_id_t delegated_cred_handle;
-
bool sasl; /* We have two different mechs in this file: One
* for SASL wrapped GSSAPI and another for normal
* GSSAPI */
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f2d8942..43dabcc 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -555,9 +555,12 @@ LIBSMB_OBJ0 = \
../lib/util/asn1.o \
../libcli/auth/spnego_parse.o \
../libcli/auth/ntlm_check.o \
+ ../libcli/auth/krb5_wrap.o \
libsmb/ntlmssp.o \
libsmb/ntlmssp_wrap.o \
libsmb/auth_generic.o \
+ libsmb/clikrb5.o \
+ libsmb/clispnego.o \
../auth/gensec/gensec.o \
../auth/gensec/gensec_start.o \
../auth/gensec/gensec_util.o \
@@ -594,7 +597,6 @@ SCHANNEL_OBJ = ../libcli/auth/credentials.o \
$(LIBNDR_SCHANNEL_OBJ)
LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
- libsmb/clikrb5.o ../libcli/auth/krb5_wrap.o libsmb/clispnego.o \
libsmb/reparse_symlink.o \
libsmb/clisymlink.o \
libsmb/clirap.o libsmb/clierror.o libsmb/climessage.o \
@@ -631,6 +633,7 @@ LIBMSRPC_OBJ = $(SCHANNEL_OBJ) \
librpc/crypto/gse_krb5.o \
librpc/crypto/gse.o \
../auth/kerberos/gssapi_pac.o \
+ ../auth/kerberos/gssapi_parse.o \
librpc/crypto/cli_spnego.o \
librpc/rpc/rpc_common.o \
rpc_client/rpc_transport_np.o \
@@ -760,7 +763,6 @@ RPC_CONFIG = rpc_server/rpc_config.o
RPC_SERVICE = rpc_server/rpc_server.o
RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o \
- rpc_server/dcesrv_gssapi.o \
rpc_server/dcesrv_spnego.o
RPC_PIPE_OBJ = rpc_server/srv_pipe.o rpc_server/srv_pipe_hnd.o \
@@ -1014,7 +1016,7 @@ NMBD_OBJ1 = nmbd/asyncdns.o nmbd/nmbd.o
nmbd/nmbd_become_dmb.o \
NMBD_OBJ = $(NMBD_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBNDR_GEN_OBJ0)
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \
web/swat.o web/neg_lang.o
@@ -1066,10 +1068,10 @@ SMBPASSWD_OBJ = utils/smbpasswd.o $(PASSWD_UTIL_OBJ)
$(PASSCHANGE_OBJ) \
rpc_client/init_lsa.o
PDBEDIT_OBJ = utils/pdbedit.o $(PASSWD_UTIL_OBJ) $(PARAM_OBJ) $(PASSDB_OBJ) \
- $(LIBSAMBA_OBJ) \
+ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
+ $(AFS_SETTOKEN_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) \
$(LIB_NONSMBD_OBJ) $(GROUPDB_OBJ) \
- $(LIBCLI_LDAP_NDR_OBJ) \
- $(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \
$(POPT_LIB_OBJ) $(SMBLDAP_OBJ)
SMBGET_OBJ = utils/smbget.o $(POPT_LIB_OBJ) $(LIBSMBCLIENT_OBJ1)
@@ -1245,8 +1247,8 @@ NET_OBJ = $(NET_OBJ1) \
$(LIB_EVENTLOG_OBJ)
CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
- $(LIBNDR_GEN_OBJ0)
+ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
+ $(AFS_SETTOKEN_OBJ) $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
$(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
@@ -1276,23 +1278,23 @@ SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ)
$(TLDAP_OBJ) \
$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBCLI_ECHO_OBJ)
MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- $(LIB_NONSMBD_OBJ) \
- $(LIBNDR_GEN_OBJ0)
+ $(LIB_NONSMBD_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBNDR_GEN_OBJ0)
LOCKTEST_OBJ = torture/locktest.o $(PARAM_OBJ) $(LOCKING_OBJ) $(KRBCLIENT_OBJ)
\
- $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBNDR_GEN_OBJ0) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(FNAME_UTIL_OBJ)
NSSTEST_OBJ = ../nsswitch/nsstest.o $(LIBSAMBAUTIL_OBJ)
PDBTEST_OBJ = torture/pdbtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
$(LIB_NONSMBD_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(SMBLDAP_OBJ) $(POPT_LIB_OBJ) \
- $(LIBNDR_GEN_OBJ0)
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE)
$(READLINE_OBJ)
@@ -1300,7 +1302,7 @@ LOG2PCAP_OBJ = utils/log2pcaphex.o
LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \
$(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBNDR_GEN_OBJ0) $(FNAME_UTIL_OBJ)
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(FNAME_UTIL_OBJ)
SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
$(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1340,8 +1342,8 @@ REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
DEBUG2HTML_OBJ = utils/debug2html.o utils/debugparse.o
SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
- $(LIBNDR_GEN_OBJ0)
+ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
@@ -1349,8 +1351,10 @@ WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o
PAM_SMBPASS_OBJ = $(PAM_SMBPASS_OBJ_0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ)
$(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SMBLDAP_OBJ) $(LIBSAMBA_OBJ) \
- $(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \
+ $(SMBLDAP_OBJ) \
+ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
+ $(AFS_SETTOKEN_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) \
$(PAM_ERRORS_OBJ)
IDMAP_RW_OBJ = winbindd/idmap_rw.o
@@ -1493,9 +1497,10 @@ WINBINDD_OBJ = \
rpc_client/init_samr.o \
$(PAM_ERRORS_OBJ)
-WBINFO_OBJ = ../nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ)
$(LIB_NONSMBD_OBJ) \
+WBINFO_OBJ = ../nsswitch/wbinfo.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
+ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
$(POPT_LIB_OBJ) $(AFS_SETTOKEN_OBJ) \
- lib/winbind_util.o $(WBCOMMON_OBJ)
+ lib/winbind_util.o $(WBCOMMON_OBJ) $(LIBMSRPC_OBJ)
$(LIBMSRPC_GEN_OBJ)
WINBIND_NSS_OBJ = $(WBCOMMON_OBJ) $(LIBREPLACE_OBJ) @WINBIND_NSS_EXTRA_OBJS@
@@ -1526,17 +1531,15 @@ TDBTORTURE_OBJ = @tdbdir@/tools/tdbtorture.o
$(LIBREPLACE_OBJ) \
NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o
-NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
- libsmb/clikrb5.o ../libcli/auth/krb5_wrap.o libads/kerberos.o \
+NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} \
libsmb/samlogon_cache.o \
$(LIBADS_SERVER_OBJ) \
$(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SMBLDAP_OBJ) $(LIBNMB_OBJ) \
$(WBCOMMON_OBJ) \
- $(LIBNBT_OBJ) \
- $(CLDAP_OBJ) \
- $(DRSUAPI_OBJ) \
- $(LIBNDR_GEN_OBJ0) $(LIBNDR_NETLOGON_OBJ) @BUILD_INIPARSER@
+ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
+ $(AFS_SETTOKEN_OBJ) \
+ $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) \
+ $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) @BUILD_INIPARSER@
VLP_OBJ = printing/tests/vlp.o \
@@ -3143,10 +3146,10 @@ bin/ntlm_auth@EXEEXT@: $(BINARY_PREREQS)
$(NTLM_AUTH_OBJ) $(PARAM_OBJ) \
$(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \
$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
@INIPARSERLIBS@
-bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ)
$(LIBCLI_LDAP_NDR_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) $(LIBTDB)
+bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) $(LIBTALLOC)
$(LIBWBCLIENT) $(LIBTDB)
@echo "Linking shared library $@"
- @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ)
-lpam $(DYNEXP) \
- $(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) $(ZLIB_LIBS) \
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_OBJ) -lpam $(DYNEXP) \
+ $(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) $(KRB5LIBS) $(ZLIB_LIBS) \
$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
bin/tdbbackup@EXEEXT@: $(BINARY_PREREQS) $(TDBBACKUP_OBJ) $(LIBTALLOC)
$(LIBTDB)
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index d7108f5..6db761b 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -1,10 +1,11 @@
/*
Unix SMB/Netbios implementation.
Version 3.0
- handle NLTMSSP, server side
+ handle GENSEC authentication, server side
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2001-2003,2011
+ Copyright (C) Simo Sorce 2010.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -25,6 +26,127 @@
#include "../lib/tsocket/tsocket.h"
#include "auth/gensec/gensec.h"
#include "lib/param/param.h"
+#ifdef HAVE_KRB5
+#include "libcli/auth/krb5_wrap.h"
+#endif
+#include "librpc/crypto/gse.h"
+#include "auth/credentials/credentials.h"
+
+static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context
*smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *princ_name,
+ const struct tsocket_address
*remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info
**session_info)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct PAC_DATA *pac_data = NULL;
+ struct PAC_LOGON_INFO *logon_info = NULL;
+ unsigned int i;
+ bool is_mapped;
+ bool is_guest;
+ char *ntuser;
+ char *ntdomain;
+ char *username;
+ char *rhost;
+ struct passwd *pw;
+ NTSTATUS status;
+ int rc;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (pac_blob) {
+#ifdef HAVE_KRB5
+ status = kerberos_decode_pac(tmp_ctx,
+ *pac_blob,
+ NULL, NULL, NULL, NULL, 0, &pac_data);
+#else
+ status = NT_STATUS_ACCESS_DENIED;
+#endif
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ /* get logon name and logon info */
+ for (i = 0; i < pac_data->num_buffers; i++) {
+ struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
+
+ switch (data_buf->type) {
+ case PAC_TYPE_LOGON_INFO:
+ if (!data_buf->info) {
+ break;
+ }
+ logon_info = data_buf->info->logon_info.info;
+ break;
+ default:
+ break;
+ }
+ }
+ if (!logon_info) {
+ DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
+ status = NT_STATUS_NOT_FOUND;
+ goto done;
+ }
+ }
+
+ rc = get_remote_hostname(remote_address,
+ &rhost,
+ tmp_ctx);
+ if (rc < 0) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ if (strequal(rhost, "UNKNOWN")) {
+ rhost = tsocket_address_inet_addr_string(remote_address,
+ tmp_ctx);
+ if (rhost == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ }
+
+ status = get_user_from_kerberos_info(tmp_ctx, rhost,
+ princ_name, logon_info,
+ &is_mapped, &is_guest,
+ &ntuser, &ntdomain,
+ &username, &pw);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos principal to system user "
+ "(%s)\n", nt_errstr(status)));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+
+ /* save the PAC data if we have it */
+ if (logon_info) {
+ netsamlogon_cache_store(ntuser, &logon_info->info3);
+ }
+
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+ logon_info, is_guest, is_mapped, NULL
/* No session key for now, caller will sort it out */,
+ session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+ nt_errstr(status)));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+
+ DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
+ ntuser, ntdomain, rhost));
+
+ status = NT_STATUS_OK;
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
@@ -54,6 +176,15 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
struct gensec_settings *gensec_settings;
struct loadparm_context *lp_ctx;
+ struct cli_credentials *server_credentials;
+ struct auth4_context *auth4_context = talloc_zero(tmp_ctx,
struct auth4_context);
+ if (auth4_context == NULL) {
+ DEBUG(10, ("failed to allocate auth4_context
failed\n"));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ auth4_context->generate_session_info_pac =
auth3_generate_session_info_pac;
+
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context());
if (lp_ctx == NULL) {
DEBUG(10, ("loadparm_init_s3 failed\n"));
@@ -68,7 +199,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends = talloc_zero_array(gensec_settings,
struct gensec_security_ops *, 2);
+ gensec_settings->backends = talloc_zero_array(gensec_settings,
struct gensec_security_ops *, 3);
if (gensec_settings->backends == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
@@ -76,15 +207,42 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops;
+#if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
+ gensec_settings->backends[1] = &gensec_gse_krb5_security_ops;
+#endif
+
+ /*
+ * This is anonymous for now, because we just use it
+ * to set the kerberos state at the moment
+ */
+ server_credentials = cli_credentials_init_anon(tmp_ctx);
+ if (!server_credentials) {
+ DEBUG(0, ("auth_generic_prepare: Failed to init server
credentials\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ cli_credentials_set_conf(server_credentials, lp_ctx);
+
+ if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
+ cli_credentials_set_kerberos_state(server_credentials,
CRED_AUTO_USE_KERBEROS);
+ } else {
+ cli_credentials_set_kerberos_state(server_credentials,
CRED_DONT_USE_KERBEROS);
+ }
+
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
- NULL, &gensec_security);
+ auth4_context,
&gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(tmp_ctx);
return nt_status;
}
+
+ gensec_set_credentials(gensec_security, server_credentials);
+
talloc_unlink(tmp_ctx, lp_ctx);
+ talloc_unlink(tmp_ctx, server_credentials);
talloc_unlink(tmp_ctx, gensec_settings);
+ talloc_unlink(tmp_ctx, auth4_context);
}
nt_status = gensec_set_remote_address(gensec_security,
diff --git a/source3/librpc/crypto/cli_spnego.c
b/source3/librpc/crypto/cli_spnego.c
index 98251c7..e676703 100644
--- a/source3/librpc/crypto/cli_spnego.c
+++ b/source3/librpc/crypto/cli_spnego.c
@@ -46,44 +46,6 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
- bool do_sign, bool do_seal,
- bool is_dcerpc,
- const char *ccache_name,
- const char *server,
- const char *service,
- const char *username,
- const char *password,
- struct spnego_context **spnego_ctx)
-{
- struct spnego_context *sp_ctx = NULL;
- uint32_t add_gss_c_flags = 0;
- NTSTATUS status;
-
- status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- sp_ctx->mech = SPNEGO_KRB5;
-
- if (is_dcerpc) {
- add_gss_c_flags = GSS_C_DCE_STYLE;
- }
-
- status = gse_init_client(sp_ctx,
- do_sign, do_seal,
- ccache_name, server, service,
- username, password, add_gss_c_flags,
- &sp_ctx->mech_ctx.gssapi_state);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- *spnego_ctx = sp_ctx;
- return NT_STATUS_OK;
-}
-
NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
const char *oid,
bool do_sign, bool do_seal,
@@ -105,6 +67,8 @@ NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
}
if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
sp_ctx->mech = SPNEGO_NTLMSSP;
+ } else if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
+ sp_ctx->mech = SPNEGO_KRB5;
} else {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -168,7 +132,7 @@ NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
return status;
}
- sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx,
&auth_generic_state->gensec_security);
+ sp_ctx->gensec_security = talloc_move(sp_ctx,
&auth_generic_state->gensec_security);
TALLOC_FREE(auth_generic_state);
*spnego_ctx = sp_ctx;
return NT_STATUS_OK;
@@ -179,7 +143,6 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
DATA_BLOB *spnego_in,
DATA_BLOB *spnego_out)
--
Samba Shared Repository
