samba.git/auth, branch talloc-2.1.3 Unnamed repository; edit this file 'description' to name the repository. s4-auth: Always pass down the salt principal 2015-07-16T23:38:15+00:00 Andreas Schneider asn@samba.org 2015-04-23T17:18:32+00:00 c9a8fff52519bb57040bf34b730263f191a6a88f We should always pass down the saltPrincipal to smb_krb5_update_keytab() function. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
We should always pass down the saltPrincipal to smb_krb5_update_keytab()
function.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
auth/credentials: if credentials have principal set, they are not anonymous anymore 2015-07-15T14:32:54+00:00 Alexander Bokovoy ab@samba.org 2015-05-07T14:12:03+00:00 a0d2dd0e01618346b4ad8ea9da3f7ce4eb0364b0 When dealing with Kerberos, we cannot consider credentials anonymous if credentials were obtained properly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104 
When dealing with Kerberos, we cannot consider credentials anonymous
if credentials were obtained properly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104
auth/credentials: anonymous should not try to use kerberos 2015-07-03T00:00:28+00:00 Stefan Metzmacher metze@samba.org 2015-06-25T18:30:43+00:00 f3f1c3892596e438c716172c053a016ee4ba464a Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is needed 2015-06-24T11:37:02+00:00 Andreas Schneider asn@samba.org 2015-06-23T15:39:27+00:00 0438027a476e56bb5664886918a982929c6add87 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions 2015-06-23T23:03:16+00:00 Stefan Metzmacher metze@samba.org 2008-09-25T06:34:48+00:00 8a4c0abb3eaf1ae80d1ce476cc123c5a195cd15d These make use of gss_[un]wrap_iov[_length]() where required and support header signing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: remove unused gensec_[un]wrap_packets() hooks 2015-06-23T20:12:08+00:00 Stefan Metzmacher metze@samba.org 2015-06-19T10:47:10+00:00 2cd3e51e19c0ae851ea2f294125c387f72d4432c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting 2015-06-23T12:38:53+00:00 Stefan Metzmacher metze@samba.org 2015-06-20T14:19:31+00:00 756508c8c37b0370301a096e35abc171fe08d31c We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given auth_level and should not have GENSEC_FEATURE_SEAL if DCERPC_AUTH_LEVEL_INTEGRITY is desired. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE 2015-06-23T12:38:53+00:00 Stefan Metzmacher metze@samba.org 2015-06-19T12:46:53+00:00 3542d33314e32279340f07f995c1dcbd16106352 gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if GENSEC_FEATURE_SEAL is negotiated. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL 2015-06-23T12:38:53+00:00 Stefan Metzmacher metze@samba.org 2015-06-22T13:17:33+00:00 57579453d12429adba08b80c1eb6936cc422a2fd Newer MIT versions also have this. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> 
Newer MIT versions also have this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
dcerpc: NULL pointer deref crash in handling rpc request. 2015-06-18T17:25:27+00:00 Jeremy Allison jra@samba.org 2015-06-18T16:57:42+00:00 5deb8169fecef108b4f8010446398475ba8b46de source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature(). Codenomicon found a code path that allows the client to send a request that calls into this function without ever having set up security. So call->conn->auth_state.gensec_security exists (gensec has been initialized when the RPC pipe is set up) but call->conn->auth_state.gensec_security->ops has not been initialized. We dereference the NULL pointer and crash. An alternate way to fix this would be to create a new public bool gensec_initialized(() function and call that inside dcesrv_request() instead of doing a null check on call->conn->auth_state.gensec_security, but that's a more invasive fix we can add later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().

Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.

An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>