The branch, master has been updated
via 1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no
longer used directly
via afcd53b8d09 auth/credentials_krb5: let cli_credentials_set_ccache()
use smb_force_krb5_cc_default()
via a5d46f69d12 auth/credentials_krb5: use system/{gssapi,kerberos}.h
via 845a2aae6f0 smbspool: let kerberos_ccache_is_valid() use
smb_force_krb5_cc_default_name()
via 4514fb5f439 smbspool_krb5_wrapper: let
kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()
via a8da9de9f4a smbspool_krb5_wrapper: remove unused includes
via eb6dc35a704 krb5_wrap: let smb_krb5_renew_ticket() use
smb_force_krb5_cc_default_name()
via f850bcfc0b4 krb5_wrap: add smb_force_krb5_cc_default[_name]()
wrappers
via d49de777104 s3:libads: let kerberos_kinit_password_ext() require an
explicit krb5 ccache
via 70f9e3a0567 krb5_wrap: let ads_krb5_cli_get_ticket() require an
explicit krb5 ccache
via fc92025ecb2 s3:libads: finally remove unused
ads_connect[_user_creds]() and related code
via 25806314dae s3:net: finally remove
net_context->opt_{user_specified,user_name,password}
via a1ab1c8620c s3:net: remove unused net_context->smb_encrypt
via 9620d2ecc18 s3:net: remove unused net_context->opt_kerberos
via 2de585a9787 s3:include: remove unused krb5_env.h
via eb9ad5cc890 s3:net_ads: remove unused use_in_memory_ccache()
via e76fe56fdf6 s3:net_ads: make use of
ads_connect_{cldap_only,creds}() in ads_startup_int()
via d59d957caba s3:libads: let ads_krb5_set_password() require an
explicit krb5 ccache to operate on
via 432273dd3ec s3:libads: kerberos_set_password() don't need to kinit
before ads_krb5_chg_password()
via 125db2ed815 s3:libads: remove unused kdc_host and time_offset
arguments to kerberos_set_password()
via b641b35b028 s3:libads: remove unused kdc_host and time_offset
arguments to ads_krb5_chg_password()
via 3141423feb3 s3:libads: remove krb5_set_real_time() from
ads_krb5_set_password()
via c85c084d69e s3:libads: remove unused kdc_host argument of
ads_krb5_set_password()
via 5f32f14ef58 s3:net_ads: require kerberos if we use
ads_krb5_set_password() in ads_user_add()
via 1eeeb76e6c5 s3:net_ads: use ADS_SASL_SEAL by default, so that we
always get encryption
via 612af29cef1 s3:net_ads: use cli_credentials_get_principal() in
order to call kerberos functions
via 55c9a6c0e3a s3:net: remove useless net_prompt_pass() wrapper
via d9082129f21 s3:net_rpc: make use of !c->explicit_credentials for
NET_FLAGS_ANONYMOUS
via e690666fd10 s3:net: make use of c->explicit_credentials in order to
check for valid credentials
via be1051f3792 s3:net: add net_context->explicit_credentials to check
if credentials were passed
via a9beae36f0a s3:net: correctly implement --use-ccache as legacy for
--use-winbind-ccache for 'net'
via 579195769d6 s3:net_offlinejoin: we don't need to call
libnetapi_set_use_kerberos() as we already passed cli_credentials
via f4f31236c4a s3:libnet_join: pass down cli_credentials
*admin_credentials to libnet_{Join,Unjoin}Ctx()
via c0edd3406b9 s3:lib/netapi: make use of
ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
via 0470cc385d9 s3:lib/netapi: add libnetapi_get_creds()
via bd53e20764b libgpo/pygpo: make use of ads_connect_{creds,machine}()
via 87e7a9488a0 s3:printing: make use of ads_connect_machine()
via f9496bfdf4e s3:libads: add ads_connect_machine() helper
via 353abcb4d3e s3:libads: add ads_simple_creds() helper
via c36b0442244 s3:libads: make use of ads_connect_simple_anon() in
ldap.c where possible
via 7bfbea4c3c8 s3:libads: add ads_connect_simple_anon() helper
via c95a2785e20 lib/addns: rewrite signed dns update code to use gensec
instead of plain gssapi
via 5807689f968 s3:utils: let net_update_dns_internal() set status
before goto done in all cases
via 28af0829263 s3:winbindd: make use of
winbindd_get_trust_credentials() in idmap_ad.c
via ed75331f525 s3:winbindd: make use of
winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
via 16bbb407fa5 s3:winbindd: make use of samba_sockaddr to avoid
compiler warnings
via f903d80769b s3:winbindd: use
winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
via 8166642e1bd s3:winbindd: make winbindd_get_trust_credentials()
public
via 81a6c54fddc s3:libads: add ads_set_reconnect_fn() and only
reconnect if we can get creds
via 31e4614ee36 s3:libads: add ads_connect_creds() helper
via 76e0d348ddd s3:libads: fix compiler warning in ads_mod_ber()
via bac243442a6 s3:libads: move ads->auth.time_offset to
ads->config.time_offset
via ea97abd545e s3:libads: we only need to gensec_expire_time()...
via ce1ad21ce63 s3:libads: remove unused ads->auth.renewable
via fcd47a49660 s3:winbindd: remove useless 'renewable' argument to
ads_cached_connection_connect()
via bb8b7be74a7 s3:libads: let ads_sasl_spnego_bind() really use spnego
to negotiate krb5/ntlmssp
via 1474f9c5de3 testprogs/blackbox: add better testnames in
test_weak_disable_ntlmssp_ldap.sh
via cff7656e665 s3:net_ads: make use of ads_connect_cldap_only() and
ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
via f024063aec9 s3:winbindd: make use of ads_connect_cldap_only() in
dcip_check_name_ads()
via e8250f16240 s3:net_ads: make use of ads_connect_cldap_only() in
net_ads_check_int()
via fdd34b57c41 s3:libsmb: make use of ads_connect_cldap_only()
via f34e64baf6c s3:libads: add ads_connect_cldap_only() helper
via 36748002f01 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for
ADS_AUTH_ANON_BIND
via 9ea1ea16290 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to
generate a custom krb5.conf
via b3110ec049b s3:libads: split out ads_connect_internal() and call it
with ads_legacy_creds()
via be771670eb3 s3:libads: let ads_sasl_spnego_bind() use
cli_credentials_get_unparsed_name()
via 4d42574c542 s3:libads: let ads_sasl_spnego_bind() reset krb5_state
at the end
via f7ab92ea7e0 s3:libads: let ads_sasl_spnego_bind() use
cli_credentials_get_kerberos_state()
via b98f9a341f4 s3:libads: split out ads_legacy_creds()
via 6f33e46c19f s3:libads: remove unused LIBADS_CCACHE_NAME define
via a70c62a78e4 s3:libads: make use of talloc_stackframe() in
ads_setup_tls_wrapping()
via d26e4c6e272 s3:libsmb: remove unused
cli_session_creds_prepare_krb5()
via ef205f6b52e s3:gse: get an explicit ccache_name from creds and
kinit if required
via 98ee5ca7e83 s3:gse: Pass down the mech to gse_context_init()
via bc2a2399e52 s3:gse: Implement gensec_gse_security_by_oid()
via 2ec3e59f58b s3:gse: Use smb_gss_mech_import_cred() in
gse_init_server()
via ca90f213a27 lib:krb5_wrap: Implement smb_gss_mech_import_cred()
via 2fd2d28b8fe s3:libsmb: fix lpcfg_gensec_settings() no memory check
in auth_generic_client_prepare()
via fb7e19826af s3:libsmb: explicitly use the default krb5 ccache in
cli_session_creds_init() without a password
via 2dc76cc84c1 s3:ntlm_auth: explicitly include default krb5 ccache if
no explicit username/password are given
via 52715b461a8 tests/ntlm_auth: Do not set a client_password
via a6b94a690b5 tests/ntlm_auth_krb5: don't test that a krb5ccache work
with an explicit username
via 3ea605d8af2 blackbox/test_kinit.sh: verify that --use-krb5-ccache=
works without KRB5CCNAME
via e47f9415b77 s3:libads: don't allow ads_kdestroy(NULL) anymore
via 4959f932279 s3:winbindd: don't use ads_kdestroy(NULL) in
winbindd_raw_kerberos_login()
from 712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a
ipv6 response
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1ca6fb563b0bf25b36a2961754d94cc54d3d9292
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
lib/replace: make sure krb5_cc_default[_name]() is no longer used directly
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue May 14 11:22:28 UTC 2024 on atb-devel-224
commit afcd53b8d09c8cdba0e23980567920e399ff62f5
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
auth/credentials_krb5: let cli_credentials_set_ccache() use
smb_force_krb5_cc_default()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a5d46f69d12dde94caac5a7472157205081f6e0e
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
auth/credentials_krb5: use system/{gssapi,kerberos}.h
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 845a2aae6f0d9efc1913e85e91f8f52e92e6b211
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
smbspool: let kerberos_ccache_is_valid() use
smb_force_krb5_cc_default_name()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4514fb5f43988f080e55a3a9278dfce75876d475
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
smbspool_krb5_wrapper: let kerberos_get_default_ccache() use
smb_force_krb5_cc_default_name()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a8da9de9f4ac37b6bb9fb95aa8b2767251188cbb
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
smbspool_krb5_wrapper: remove unused includes
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit eb6dc35a704dec309acd45af8781402b875feeaa
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f850bcfc0b42302e39b35faa64ad9743b736745e
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers
If we touch the global krb5_ccache we want to make that explicit,
so calling krb5_cc_default[_name] will result in an error during
the next patches.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d49de777104fb491f8cca837791dea7bed1c572b
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:46:45 2024 +0100
s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 70f9e3a0567af3c4f1a62eb2df56c6bcc1132599
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:46:45 2024 +0100
krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache
Reviewed-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit fc92025ecb2c43305bde43f0c2a9856abed654c4
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:55:14 2024 +0100
s3:libads: finally remove unused ads_connect[_user_creds]() and related code
That was a long way, but now we're cli_credentials/gensec only :-)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 25806314daef8d2958b63bc429c9973c2755a865
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 14:56:45 2024 +0100
s3:net: finally remove net_context->opt_{user_specified,user_name,password}
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a1ab1c8620c907a6cced8d1d1cd9686746b59717
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:50:39 2024 +0100
s3:net: remove unused net_context->smb_encrypt
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 9620d2ecc188799798fbef31b6934b861f3bbe33
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:44:53 2024 +0100
s3:net: remove unused net_context->opt_kerberos
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2de585a97870306ec7ce4e1effabd2d47ed07ec7
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:27:06 2024 +0100
s3:include: remove unused krb5_env.h
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit eb9ad5cc8902678b399a777138f3b92c4d949874
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 12:08:00 2024 +0100
s3:net_ads: remove unused use_in_memory_ccache()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e76fe56fdf649b370fb4d280ca64f66bc36b2b07
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 29 14:07:05 2024 +0100
s3:net_ads: make use of ads_connect_{cldap_only,creds}() in
ads_startup_int()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d59d957caba354d771445661fc297995880cb47a
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to
operate on
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 432273dd3ec94ecc695002ab51f99f38048c3902
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: kerberos_set_password() don't need to kinit before
ads_krb5_chg_password()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 125db2ed8158ced630c02860a40a1199c74a0381
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: remove unused kdc_host and time_offset arguments to
kerberos_set_password()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b641b35b028e6986dbff6667fd5198393f50aef2
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: remove unused kdc_host and time_offset arguments to
ads_krb5_chg_password()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3141423feb3d027da29ba0c84c6ed90ff48db961
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: remove krb5_set_real_time() from ads_krb5_set_password()
Callers typically only pass in 0 anyway.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c85c084d69e4d5048b6d9a79d2b806bd4f022d73
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:libads: remove unused kdc_host argument of ads_krb5_set_password()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5f32f14ef58df1e43df87acb952a367cbab9122d
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:net_ads: require kerberos if we use ads_krb5_set_password() in
ads_user_add()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 1eeeb76e6c5e76f69ed90274721de8fe94014a02
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Mar 11 17:45:43 2024 +0100
s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 612af29cef19b6b3722aa94adff34542ac519236
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 14:55:09 2024 +0100
s3:net_ads: use cli_credentials_get_principal() in order to call kerberos
functions
This is better than the value from cli_credentials_get_username()...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 55c9a6c0e3a403ac38f018fcf3b003e39c3c79f3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 14:54:18 2024 +0100
s3:net: remove useless net_prompt_pass() wrapper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d9082129f21e5b6f7cc5c2011336a952da84441e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:43:13 2024 +0100
s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e690666fd108667595caf6f062b6665fb8aa604d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 14:47:06 2024 +0100
s3:net: make use of c->explicit_credentials in order to check for valid
credentials
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit be1051f3792689209496c8039658b02b6ebdf53d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 14:40:10 2024 +0100
s3:net: add net_context->explicit_credentials to check if credentials were
passed
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a9beae36f0a41cd912a8238f9e3563638cbadc9d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:50:39 2024 +0100
s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache
for 'net'
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 579195769d6d8a39921b6622bc76ac1be0418d46
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 13:41:51 2024 +0100
s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as
we already passed cli_credentials
c->opt_kerberos is derived from c->creds...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f4f31236c4aac21e4e6e96fd507ea3ba1b6d3fef
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 17:59:00 2022 +0200
s3:libnet_join: pass down cli_credentials *admin_credentials to
libnet_{Join,Unjoin}Ctx()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c0edd3406b9a0db65a77dd17ca9ab6ad28c09728
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:40:48 2024 +0100
s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in
NetGetJoinableOUs_l
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 0470cc385d935d6898afd6cf993fef3b9881f8ac
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:38:25 2024 +0100
s3:lib/netapi: add libnetapi_get_creds()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit bd53e20764bc87cc4c3681106927a3629c3dc257
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:21:02 2024 +0100
libgpo/pygpo: make use of ads_connect_{creds,machine}()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 87e7a9488a0a132847b25a40ac1fa7752b248502
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 18:58:27 2022 +0200
s3:printing: make use of ads_connect_machine()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f9496bfdf4e62fb1707e8fc6520439757978da6e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 18:53:03 2022 +0200
s3:libads: add ads_connect_machine() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 353abcb4d3eb7952997abfa6f8196c673ab7ac9b
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 17:51:57 2022 +0200
s3:libads: add ads_simple_creds() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c36b044224494b0f4ea59cf146073ba42cc10767
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 18:43:00 2022 +0200
s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 7bfbea4c3c8f71dceedcc017153dcf31ab223b59
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 18:38:17 2022 +0200
s3:libads: add ads_connect_simple_anon() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c95a2785e209cbd0fcec5f6a553a95e12ff19fa1
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 12:03:05 2024 +0100
lib/addns: rewrite signed dns update code to use gensec instead of plain
gssapi
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5807689f96889e1ce886d253bf2e4c478c554ce2
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
s3:utils: let net_update_dns_internal() set status before goto done in all
cases
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 28af08292635d1eecbf6e020957b03bb5f57b199
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 09:59:09 2024 +0100
s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ed75331f525b7e7cb71bab88aa08832c2716a610
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 09:53:04 2024 +0100
s3:winbindd: make use of winbindd_get_trust_credentials() in
_winbind_LogonControl_TC_VERIFY()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 16bbb407fa512bbab7edab6b0ba4d9063996b35e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 09:44:54 2024 +0100
s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f903d80769be8893c08c020f24d0d63040d51027
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 09:44:19 2024 +0100
s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in
winbindd_ads.c
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8166642e1bd4c9bfdae266e9be445f605dc9fb85
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 09:23:17 2024 +0100
s3:winbindd: make winbindd_get_trust_credentials() public
We'll use it outside of winbindd_cm.c soon.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 81a6c54fddc7b1d783d8c1c9a1b4607e5e055bff
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 6 10:13:11 2024 +0100
s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
This reconnect is only useful for long running connections (e.g. in
winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 31e4614ee3636eb5d835435dfe68379b0bee382e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 27 13:11:26 2022 +0200
s3:libads: add ads_connect_creds() helper
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 76e0d348dddd08d05a53911601c2aa499056cf34
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Feb 26 21:02:08 2024 +0100
s3:libads: fix compiler warning in ads_mod_ber()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit bac243442a6ce812a4dcce0168b7d6d9ba0a17fc
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 13:49:08 2024 +0100
s3:libads: move ads->auth.time_offset to ads->config.time_offset
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ea97abd545ec13a161b7082cae10f0012f11e8e6
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 13:03:46 2024 +0100
s3:libads: we only need to gensec_expire_time()...
The lifetime of a service ticket is never longer than
the lifetime of the TGT...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ce1ad21ce638792d815c04819e9b479273cdb729
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 27 12:52:14 2024 +0100
s3:libads: remove unused ads->auth.renewable
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit fcd47a49660de8dcfca5516c9457fdd851c85c56
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 13:22:37 2024 +0100
s3:winbindd: remove useless 'renewable' argument to
ads_cached_connection_connect()
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit bb8b7be74a79defbd0955ac6d73dd1e65a75389f
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 29 14:50:31 2024 +0100
s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate
krb5/ntlmssp
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.
E.g. the dns update code and the kpasswd code.
But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...
We'll remove ads_legacy_creds() during the following commits.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 1474f9c5de3a0ca0a91596694b73aa19832ae3eb
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 13 16:53:44 2024 +0100
testprogs/blackbox: add better testnames in
test_weak_disable_ntlmssp_ldap.sh
This makes it easier to adjust the expected output when it changes in
the next commits.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit cff7656e665c3e581c3f316a904d4d5bf58bac66
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 29 14:08:55 2024 +0100
s3:net_ads: make use of ads_connect_cldap_only() and
ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
We don't need a real ldap connection here.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f024063aec9be8362c2651108c5ce0d933994ecf
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:48:34 2024 +0100
s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e8250f16240451ed584b329a3887ec6e94deced5
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:47:37 2024 +0100
s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit fdd34b57c41908b5727cdd916eb4ed4fbf34470a
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:46:10 2024 +0100
s3:libsmb: make use of ads_connect_cldap_only()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f34e64baf6c1a496643d788d1f25aabc7fd47074
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 5 17:45:35 2024 +0100
s3:libads: add ads_connect_cldap_only() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 36748002f011c418ab061fb77c945f17fbe6be47
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 09:56:00 2024 +0100
s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND
For anonymous binds we don't need a krb5.conf.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 9ea1ea16290016a1c390c7e30f6a3a1613dac735
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 09:56:00 2024 +0100
s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b3110ec049bae7c97aa0f642773fe0deb56f8e14
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 27 13:11:26 2022 +0200
s3:libads: split out ads_connect_internal() and call it with
ads_legacy_creds()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit be771670eb331de55cab2e51d2de98d4edac9435
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 27 12:45:04 2022 +0200
s3:libads: let ads_sasl_spnego_bind() use
cli_credentials_get_unparsed_name()
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4d42574c54210022bec7e765739f5495b285145a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 27 13:39:11 2022 +0200
s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f7ab92ea7e01a89d7d9ede115c576fb221374d6a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 27 12:32:30 2022 +0200
s3:libads: let ads_sasl_spnego_bind() use
cli_credentials_get_kerberos_state()
We should only operate on the creds structure and avoid ads->auth.flags
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b98f9a341f41ccfaf47c3cb8578e71eed96bb2a2
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Apr 25 18:08:33 2022 +0200
s3:libads: split out ads_legacy_creds()
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 6f33e46c19f5d0e9513d8f7aa1d170ab57418585
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 28 17:31:23 2024 +0100
s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a70c62a78e4eaab5e5a7558a15f0d1acc688f196
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 24 09:59:53 2024 +0200
s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d26e4c6e2728bd786cb4091242c8c8ebc1556f75
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 29 14:27:36 2024 +0100
s3:libsmb: remove unused cli_session_creds_prepare_krb5()
Kinit will be done within gensec if required.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 14 15:23:13 2022 +0200
s3:gse: get an explicit ccache_name from creds and kinit if required
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 98ee5ca7e8399b865b8e94feceaed61be703061f
Author: Andreas Schneider <a...@samba.org>
Date: Fri Apr 26 10:49:33 2024 +0200
s3:gse: Pass down the mech to gse_context_init()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit bc2a2399e5202a03087500056db3c575eda69a27
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 25 15:51:40 2024 +0200
s3:gse: Implement gensec_gse_security_by_oid()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2ec3e59f58b768f7c0c462a0d0e51a0f8fed1962
Author: Andreas Schneider <a...@samba.org>
Date: Fri Apr 26 10:54:47 2024 +0200
s3:gse: Use smb_gss_mech_import_cred() in gse_init_server()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit ca90f213a27743b7b715146c59f9287506e2da70
Author: Andreas Schneider <a...@samba.org>
Date: Fri Apr 26 10:40:13 2024 +0200
lib:krb5_wrap: Implement smb_gss_mech_import_cred()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2fd2d28b8fea0611bd21862a3eff29633b0c781d
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Mar 12 11:51:25 2024 +0100
s3:libsmb: fix lpcfg_gensec_settings() no memory check in
auth_generic_client_prepare()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit fb7e19826afab4fce33769eb7aef16a1c650b23a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 6 23:05:00 2024 +0100
s3:libsmb: explicitly use the default krb5 ccache in
cli_session_creds_init() without a password
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.
If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:
samba3.blackbox.krbsmbspool
samba3.blackbox.smbget
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2dc76cc84c1d2edde7eea3d39412e3b41b631137
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 6 21:55:24 2024 +0100
s3:ntlm_auth: explicitly include default krb5 ccache if no explicit
username/password are given
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 52715b461a8be25af7d24f87f9a3b78421ff1424
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 13 10:49:55 2024 +0100
tests/ntlm_auth: Do not set a client_password
This fixes test_ntlmssp_gss_spnego_cached_creds
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a6b94a690b59fa7a3106f19d76eb37b8f0bab9f0
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 7 17:59:02 2024 +0100
tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit
username
This test is useless and won't work anymore in future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3ea605d8af2a06b719f8d59cc73f3fb612284219
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Mar 8 12:57:06 2024 +0100
blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without
KRB5CCNAME
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e47f9415b77cf9f7290379a531a4d371b6f3aeda
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat May 11 02:38:21 2024 +0200
s3:libads: don't allow ads_kdestroy(NULL) anymore
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4959f932279105e1de7c0bdf11ea503e1967a341
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 14 09:02:07 2024 +0200
s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login()
This fixes a problem introduced in the commit:
commit e6c693b705686a590d2fa8f434ff015d8926a349
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 28 17:28:43 2024 +0100
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY
ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
...
Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.
So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").
Now we have cc == NULL if user_ccache_file == NULL.
and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.
It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.
Review with: git show -U25
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 6 +-
auth/credentials/credentials_krb5.h | 5 +-
lib/addns/dns.h | 18 +-
lib/addns/dnsgss.c | 240 +++++------------
lib/addns/wscript_build | 2 +-
lib/krb5_wrap/gss_samba.c | 29 +-
lib/krb5_wrap/gss_samba.h | 8 +
lib/krb5_wrap/krb5_samba.c | 45 +++-
lib/krb5_wrap/krb5_samba.h | 11 +
lib/replace/system/kerberos.h | 3 +
libgpo/pygpo.c | 75 +-----
python/samba/tests/ntlm_auth.py | 2 +-
python/samba/tests/ntlm_auth_base.py | 18 +-
python/samba/tests/ntlm_auth_krb5.py | 8 +-
source3/auth/auth_generic.c | 3 +-
source3/client/smbspool.c | 2 +-
source3/client/smbspool_krb5_wrapper.c | 7 +-
source3/include/ads.h | 11 +
source3/include/krb5_env.h | 26 --
source3/lib/netapi/joindomain.c | 124 ++++-----
source3/lib/netapi/netapi.c | 24 +-
source3/lib/netapi/netapi.h | 2 +
source3/libads/ads_ldap_protos.h | 6 +
source3/libads/ads_proto.h | 17 +-
source3/libads/ads_struct.c | 7 +
source3/libads/authdata.c | 2 +-
source3/libads/kerberos.c | 46 ++--
source3/libads/kerberos_proto.h | 13 +-
source3/libads/kerberos_util.c | 80 ------
source3/libads/krb5_setpw.c | 103 ++++++--
source3/libads/ldap.c | 153 ++++++++---
source3/libads/ldap_utils.c | 52 +++-
source3/libads/sasl.c | 185 ++++++-------
source3/libads/tls_wrapping.c | 9 +-
source3/libads/util.c | 5 +-
source3/libnet/libnet_join.c | 261 ++++--------------
source3/libnet/libnet_join.h | 2 +-
source3/librpc/crypto/gse.c | 294 ++++++++++++++++++++-
source3/librpc/crypto/gse.h | 3 +-
source3/librpc/idl/ads.idl | 17 +-
source3/librpc/idl/libnet_join.idl | 16 +-
source3/libsmb/auth_generic.c | 4 +-
source3/libsmb/cliconnect.c | 177 ++-----------
source3/libsmb/namequery_dc.c | 3 +-
source3/printing/nt_printing_ads.c | 80 +-----
source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 28 +-
source3/utils/net.c | 38 +--
source3/utils/net.h | 8 +-
source3/utils/net_ads.c | 220 ++++++---------
source3/utils/net_ads_join_dns.c | 96 +++----
source3/utils/net_dns.c | 94 ++++++-
source3/utils/net_dns.h | 3 +
source3/utils/net_offlinejoin.c | 4 -
source3/utils/net_proto.h | 6 +-
source3/utils/net_rpc.c | 17 +-
source3/utils/net_util.c | 23 +-
source3/utils/ntlm_auth.c | 24 +-
source3/utils/py_net.c | 14 +-
source3/winbindd/idmap_ad.c | 20 +-
source3/winbindd/winbindd.c | 9 +-
source3/winbindd/winbindd_ads.c | 194 ++++----------
source3/winbindd/winbindd_cm.c | 46 +++-
source3/winbindd/winbindd_dual_srv.c | 18 +-
source3/winbindd/winbindd_pam.c | 32 +--
source3/winbindd/winbindd_proto.h | 7 +
source3/wscript_build | 1 -
testprogs/blackbox/test_kinit.sh | 101 ++++---
.../blackbox/test_weak_disable_ntlmssp_ldap.sh | 11 +-
68 files changed, 1547 insertions(+), 1671 deletions(-)
delete mode 100644 source3/include/krb5_env.h
delete mode 100644 source3/libads/kerberos_util.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index 49077db23b3..ce76b10361d 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -323,7 +323,11 @@ _PUBLIC_ int cli_credentials_set_ccache(struct
cli_credentials *cred,
return ret;
}
} else {
- ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context,
&ccc->ccache);
+ /*
+ * This is where the caller really wants to use
+ * the default krb5 ccache.
+ */
+ ret =
smb_force_krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to read
default krb5 ccache: %s\n",
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
diff --git a/auth/credentials/credentials_krb5.h
b/auth/credentials/credentials_krb5.h
index e454de36240..a9c049c58da 100644
--- a/auth/credentials/credentials_krb5.h
+++ b/auth/credentials/credentials_krb5.h
@@ -23,9 +23,8 @@
#ifndef __CREDENTIALS_KRB5_H__
#define __CREDENTIALS_KRB5_H__
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_krb5.h>
-#include <krb5.h>
+#include "system/gssapi.h"
+#include "system/kerberos.h"
struct gssapi_creds_container {
gss_cred_id_t creds;
diff --git a/lib/addns/dns.h b/lib/addns/dns.h
index 2c311e72a00..abf0906fdab 100644
--- a/lib/addns/dns.h
+++ b/lib/addns/dns.h
@@ -347,20 +347,16 @@ const char *dns_errstr(DNS_ERROR err);
/* from dnsgss.c */
-#ifdef HAVE_GSSAPI
-
-void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat
);
-DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
- const char *servername,
- const char *keyname,
- gss_ctx_id_t *gss_ctx,
- enum dns_ServerType srv_type );
+struct gensec_security;
+
+DNS_ERROR dns_negotiate_sec_ctx(const char *servername,
+ const char *keyname,
+ struct gensec_security *gensec,
+ enum dns_ServerType srv_type);
DNS_ERROR dns_sign_update(struct dns_update_request *req,
- gss_ctx_id_t gss_ctx,
+ struct gensec_security *gensec,
const char *keyname,
const char *algorithmname,
time_t time_signed, uint16_t fudge);
-#endif /* HAVE_GSSAPI */
-
#endif /* _DNS_H */
diff --git a/lib/addns/dnsgss.c b/lib/addns/dnsgss.c
index a315b804df4..8800ac24c8a 100644
--- a/lib/addns/dnsgss.c
+++ b/lib/addns/dnsgss.c
@@ -22,110 +22,51 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include "dns.h"
-#include <ctype.h>
-
-
-#ifdef HAVE_GSSAPI
-
-/*********************************************************************
-*********************************************************************/
-
-#ifndef HAVE_STRUPR
-static int strupr( char *szDomainName )
-{
- if ( !szDomainName ) {
- return ( 0 );
- }
- while ( *szDomainName != '\0' ) {
- *szDomainName = toupper( *szDomainName );
- szDomainName++;
- }
- return ( 0 );
-}
-#endif
-
-#if 0
-/*********************************************************************
-*********************************************************************/
-
-static void display_status_1( const char *m, OM_uint32 code, int type )
-{
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc msg;
- OM_uint32 msg_ctx;
-
- msg_ctx = 0;
- while ( 1 ) {
- maj_stat = gss_display_status( &min_stat, code,
- type, GSS_C_NULL_OID,
- &msg_ctx, &msg );
- fprintf( stdout, "GSS-API error %s: %s\n", m,
- ( char * ) msg.value );
- ( void ) gss_release_buffer( &min_stat, &msg );
-
- if ( !msg_ctx )
- break;
- }
-}
+#include "replace.h"
+#include <talloc.h>
+#include "lib/util/talloc_stack.h"
+#include "lib/util/data_blob.h"
+#include "lib/util/time.h"
+#include "lib/util/charset/charset.h"
+#include "libcli/util/ntstatus.h"
+#include "auth/gensec/gensec.h"
-/*********************************************************************
-*********************************************************************/
+#include "dns.h"
-void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat )
-{
- display_status_1( msg, maj_stat, GSS_C_GSS_CODE );
- display_status_1( msg, min_stat, GSS_C_MECH_CODE );
-}
-#endif
-
-static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx,
- struct dns_connection *conn,
- const char *keyname,
- const gss_name_t target_name,
- gss_ctx_id_t *ctx,
- enum dns_ServerType srv_type )
+static DNS_ERROR dns_negotiate_gss_ctx_int(struct dns_connection *conn,
+ const char *keyname,
+ struct gensec_security *gensec,
+ enum dns_ServerType srv_type)
{
- struct gss_buffer_desc_struct input_desc, *input_ptr, output_desc;
- OM_uint32 major, minor;
- OM_uint32 ret_flags;
+ TALLOC_CTX *frame = talloc_stackframe();
struct dns_request *req = NULL;
struct dns_buffer *buf = NULL;
+ DATA_BLOB in = { .length = 0, };
+ DATA_BLOB out = { .length = 0, };
+ NTSTATUS status;
DNS_ERROR err;
- gss_OID_desc krb5_oid_desc =
- { 9, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
-
- *ctx = GSS_C_NO_CONTEXT;
- input_ptr = NULL;
-
do {
- major = gss_init_sec_context(
- &minor, NULL, ctx, target_name, &krb5_oid_desc,
- GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
- GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG,
- 0, NULL, input_ptr, NULL, &output_desc,
- &ret_flags, NULL );
-
- if (input_ptr != NULL) {
- TALLOC_FREE(input_desc.value);
+ status = gensec_update(gensec, frame, in, &out);
+ data_blob_free(&in);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ err = ERROR_DNS_GSS_ERROR;
+ goto error;
}
- if (output_desc.length != 0) {
-
+ if (out.length != 0) {
struct dns_rrec *rec;
time_t t = time(NULL);
- err = dns_create_query(mem_ctx, keyname, QTYPE_TKEY,
+ err = dns_create_query(frame, keyname, QTYPE_TKEY,
DNS_CLASS_IN, &req);
if (!ERR_DNS_IS_OK(err)) goto error;
err = dns_create_tkey_record(
req, keyname, "gss.microsoft.com", t,
t + 86400, DNS_TKEY_MODE_GSSAPI, 0,
- output_desc.length, (uint8_t
*)output_desc.value,
+ out.length, out.data,
&rec );
if (!ERR_DNS_IS_OK(err)) goto error;
@@ -143,7 +84,7 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX
*mem_ctx,
if (!ERR_DNS_IS_OK(err)) goto error;
- err = dns_marshall_request(mem_ctx, req, &buf);
+ err = dns_marshall_request(frame, req, &buf);
if (!ERR_DNS_IS_OK(err)) goto error;
err = dns_send(conn, buf);
@@ -151,24 +92,21 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX
*mem_ctx,
TALLOC_FREE(buf);
TALLOC_FREE(req);
- }
-
- gss_release_buffer(&minor, &output_desc);
- if ((major != GSS_S_COMPLETE) &&
- (major != GSS_S_CONTINUE_NEEDED)) {
- return ERROR_DNS_GSS_ERROR;
+ err = dns_receive(frame, conn, &buf);
+ if (!ERR_DNS_IS_OK(err)) goto error;
}
- if (major == GSS_S_CONTINUE_NEEDED) {
-
+ if (NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
struct dns_request *resp;
struct dns_tkey_record *tkey;
struct dns_rrec *tkey_answer = NULL;
uint16_t i;
- err = dns_receive(mem_ctx, conn, &buf);
- if (!ERR_DNS_IS_OK(err)) goto error;
+ if (buf == NULL) {
+ err = ERROR_DNS_BAD_RESPONSE;
+ goto error;
+ }
err = dns_unmarshall_request(buf, buf, &resp);
if (!ERR_DNS_IS_OK(err)) goto error;
@@ -191,18 +129,15 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX
*mem_ctx,
}
err = dns_unmarshall_tkey_record(
- mem_ctx, resp->answers[0], &tkey);
+ frame, resp->answers[0], &tkey);
if (!ERR_DNS_IS_OK(err)) goto error;
- input_desc.length = tkey->key_length;
- input_desc.value = talloc_move(mem_ctx, &tkey->key);
-
- input_ptr = &input_desc;
+ in = data_blob_const(tkey->key, tkey->key_length);
TALLOC_FREE(buf);
}
- } while ( major == GSS_S_CONTINUE_NEEDED );
+ } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
/* If we arrive here, we have a valid security context */
@@ -210,94 +145,54 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX
*mem_ctx,
error:
- TALLOC_FREE(buf);
- TALLOC_FREE(req);
+ TALLOC_FREE(frame);
return err;
}
-DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
- const char *servername,
- const char *keyname,
- gss_ctx_id_t *gss_ctx,
- enum dns_ServerType srv_type )
+DNS_ERROR dns_negotiate_sec_ctx(const char *servername,
+ const char *keyname,
+ struct gensec_security *gensec,
+ enum dns_ServerType srv_type)
{
- OM_uint32 major, minor;
-
- char *upcaserealm, *targetname;
+ TALLOC_CTX *frame = talloc_stackframe();
DNS_ERROR err;
+ struct dns_connection *conn = NULL;
- gss_buffer_desc input_name;
- struct dns_connection *conn;
-
- gss_name_t targ_name;
-
- gss_OID_desc nt_host_oid_desc =
- {10, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
-
- TALLOC_CTX *mem_ctx;
-
- if (!(mem_ctx = talloc_init("dns_negotiate_sec_ctx"))) {
- return ERROR_DNS_NO_MEMORY;
- }
-
- err = dns_open_connection( servername, DNS_TCP, mem_ctx, &conn );
+ err = dns_open_connection( servername, DNS_TCP, frame, &conn );
if (!ERR_DNS_IS_OK(err)) goto error;
- if (!(upcaserealm = talloc_strdup(mem_ctx, target_realm))) {
- err = ERROR_DNS_NO_MEMORY;
- goto error;
- }
-
- strupr(upcaserealm);
-
- if (!(targetname = talloc_asprintf(mem_ctx, "dns/%s@%s",
- servername, upcaserealm))) {
- err = ERROR_DNS_NO_MEMORY;
- goto error;
- }
-
- input_name.value = targetname;
- input_name.length = strlen(targetname);
-
- major = gss_import_name( &minor, &input_name,
- &nt_host_oid_desc, &targ_name );
-
- if (major) {
- err = ERROR_DNS_GSS_ERROR;
- goto error;
- }
-
- err = dns_negotiate_gss_ctx_int(mem_ctx, conn, keyname,
- targ_name, gss_ctx, srv_type );
-
- gss_release_name( &minor, &targ_name );
+ err = dns_negotiate_gss_ctx_int(conn, keyname,
+ gensec,
+ srv_type);
+ if (!ERR_DNS_IS_OK(err)) goto error;
error:
- TALLOC_FREE(mem_ctx);
+ TALLOC_FREE(frame);
return err;
}
DNS_ERROR dns_sign_update(struct dns_update_request *req,
- gss_ctx_id_t gss_ctx,
+ struct gensec_security *gensec,
const char *keyname,
const char *algorithmname,
time_t time_signed, uint16_t fudge)
{
+ TALLOC_CTX *frame = talloc_stackframe();
struct dns_buffer *buf;
DNS_ERROR err;
struct dns_domain_name *key, *algorithm;
- struct gss_buffer_desc_struct msg, mic;
- OM_uint32 major, minor;
struct dns_rrec *rec;
+ DATA_BLOB mic = { .length = 0, };
+ NTSTATUS status;
- err = dns_marshall_update_request(req, req, &buf);
+ err = dns_marshall_update_request(frame, req, &buf);
if (!ERR_DNS_IS_OK(err)) return err;
- err = dns_domain_name_from_string(buf, keyname, &key);
+ err = dns_domain_name_from_string(frame, keyname, &key);
if (!ERR_DNS_IS_OK(err)) goto error;
- err = dns_domain_name_from_string(buf, algorithmname, &algorithm);
+ err = dns_domain_name_from_string(frame, algorithmname, &algorithm);
if (!ERR_DNS_IS_OK(err)) goto error;
dns_marshall_domain_name(buf, key);
@@ -313,32 +208,31 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req,
err = buf->error;
if (!ERR_DNS_IS_OK(buf->error)) goto error;
- msg.value = (void *)buf->data;
- msg.length = buf->offset;
-
- major = gss_get_mic(&minor, gss_ctx, 0, &msg, &mic);
- if (major != 0) {
+ status = gensec_sign_packet(gensec,
+ frame,
+ buf->data,
+ buf->offset,
+ buf->data,
+ buf->offset,
+ &mic);
+ if (!NT_STATUS_IS_OK(status)) {
err = ERROR_DNS_GSS_ERROR;
goto error;
}
if (mic.length > 0xffff) {
- gss_release_buffer(&minor, &mic);
err = ERROR_DNS_GSS_ERROR;
goto error;
}
- err = dns_create_tsig_record(buf, keyname, algorithmname, time_signed,
- fudge, mic.length, (uint8_t *)mic.value,
+ err = dns_create_tsig_record(frame, keyname, algorithmname, time_signed,
+ fudge, mic.length, mic.data,
req->id, 0, &rec);
- gss_release_buffer(&minor, &mic);
if (!ERR_DNS_IS_OK(err)) goto error;
err = dns_add_rrec(req, rec, &req->num_additionals, &req->additional);
error:
- TALLOC_FREE(buf);
+ TALLOC_FREE(frame);
return err;
}
-
-#endif /* HAVE_GSSAPI */
diff --git a/lib/addns/wscript_build b/lib/addns/wscript_build
index cc72b35b437..694d71b732e 100644
--- a/lib/addns/wscript_build
+++ b/lib/addns/wscript_build
@@ -11,6 +11,6 @@ bld.SAMBA_LIBRARY('addns',
error.c
dnsquery_srv.c
''',
- public_deps='samba-util gssapi ndr resolv dns_lookup',
+ public_deps='samba-util gensec ndr resolv dns_lookup',
private_library=True,
vars=locals())
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index a5940561cda..608cb60f155 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -48,16 +48,35 @@ int smb_gss_oid_equal(const gss_OID first_oid, const
gss_OID second_oid)
}
#endif /* !HAVE_GSS_OID_EQUAL */
-
/* wrapper around gss_krb5_import_cred() that prefers to use
gss_acquire_cred_from()
* if this GSSAPI extension is available. gss_acquire_cred_from() is properly
* interposed by GSSPROXY while gss_krb5_import_cred() is not.
*
* This wrapper requires a proper krb5_context to resolve ccache name.
* All gss_krb5_import_cred() callers in Samba already have krb5_context
available. */
-uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
- krb5_ccache id, krb5_principal
keytab_principal,
- krb5_keytab keytab, gss_cred_id_t *cred)
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status,
+ krb5_context ctx,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ gss_cred_id_t *cred)
+{
+ return smb_gss_mech_import_cred(minor_status,
+ ctx,
+ id,
+ keytab_principal,
+ keytab,
+ gss_mech_krb5,
+ cred);
+}
+
+uint32_t smb_gss_mech_import_cred(OM_uint32 *minor_status,
+ krb5_context ctx,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ const struct gss_OID_desc_struct *mech,
+ gss_cred_id_t *cred)
{
uint32_t major_status = 0;
@@ -86,7 +105,7 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status,
krb5_context ctx,
gss_OID_set_desc mech_set = {
.count = 1,
.elements = discard_const_p(struct gss_OID_desc_struct,
- gss_mech_krb5),
+ mech),
};
gss_cred_usage_t cred_usage = GSS_C_INITIATE;
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
index 89aee3479c5..9e91f21e406 100644
--- a/lib/krb5_wrap/gss_samba.h
+++ b/lib/krb5_wrap/gss_samba.h
@@ -45,5 +45,13 @@ uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status,
krb5_context ctx,
krb5_ccache id, krb5_principal
keytab_principal,
krb5_keytab keytab, gss_cred_id_t *cred);
--
Samba Shared Repository
