samba.git/source4/auth/gensec, branch talloc-2.0.8 Unnamed repository; edit this file 'description' to name the repository. s4-auth: Make sure we use the correct credential state. 2012-07-17T11:26:37+00:00 Andreas Schneider asn@samba.org 2012-07-17T08:50:48+00:00 18692b060f098015bf2eee0835611eb7d95fd923 If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org> 
If we create a copy of the credential state we miss updates to the
credentials.

To establish a netlogon schannel connection we create client credentials
and authenticate with them using

dcerpc_netr_ServerAuthenticate2()

For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.

After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.

After that we continue and need the client credentials to call

dcerpc_netr_LogonGetCapabilities()

to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.

The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.

dcerpc_netr_SamLogonWithFlags.

We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.

Signed-off-by: Günther Deschner <gd@samba.org>
s4:gensec: fix a comment typo 2012-06-12T05:21:45+00:00 Michael Adam obnox@samba.org 2012-06-11T22:29:11+00:00 6b2175c83416e7e5bcd76c79cf927ad806d4a562 






gse: Use the smb_gss_oid_equal wrapper.
2012-05-23T14:51:51+00:00

Andreas Schneider
asn@samba.org

2012-05-21T16:25:28+00:00

2b144531f1a760514f217012e9dab01359b7a0d7

Signed-off-by: Andreas Schneider <asn@samba.org>





Signed-off-by: Andreas Schneider <asn@samba.org>







Introduce system MIT krb5 build with --with-system-mitkrb5 option.
2012-05-23T14:51:50+00:00

Alexander Bokovoy
ab@samba.org

2012-05-21T09:45:12+00:00

2ddf89a2bc3c00b71dec230f071416e594f89113

System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.





System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.







gensec_gssapi: Make it possible to build with MIT krb5
2012-05-23T14:51:49+00:00

Simo Sorce
idra@samba.org

2012-05-08T16:38:20+00:00

ad945bc68f6b1e73a47bc0a33b35fcbf182f8137

We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.





We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.







pygensec: Fix init of variable if not specified.
2012-05-18T02:50:17+00:00

Jelmer Vernooij
jelmer@samba.org

2012-05-17T21:48:26+00:00

01c502ddd41857e2dea9a01ac4afbe48e5ea1fdd

Thanks to Wolfgang Sourdeau for reporting this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104





Thanks to Wolfgang Sourdeau for reporting this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104







s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" option
2012-05-17T18:04:34+00:00

Stefan Metzmacher
metze@samba.org

2012-04-20T11:51:22+00:00

90c309b053c0328419a79361e0c2e32486cef428

metze





metze







s4:auth/gensec: implement gensec_gssapi_expire_time()
2012-05-17T18:04:33+00:00

Stefan Metzmacher
metze@samba.org

2012-03-03T03:33:55+00:00

6b38d0274a209c951fc0ef33e2913aaaa9d48299

metze





metze







s4:auth/gensec_gssapi: add missing 'break' statements
2012-05-17T18:04:32+00:00

Stefan Metzmacher
metze@samba.org

2012-05-17T15:31:09+00:00

677c4fd2c10435b5d5e06f226db4ee9c7a2ab988

metze





metze







s4:auth/gensec_gssapi: remember the expire time
2012-05-17T18:04:31+00:00

Stefan Metzmacher
metze@samba.org

2012-03-02T21:02:36+00:00

943cb79596e2823f166bc6a59d40008afa187b7a

metze





metze