summaryrefslogtreecommitdiff
path: root/auth/credentials
AgeCommit message (Collapse)AuthorFilesLines
2026-03-31auth: Check return of talloc_strdup() for NULLPavel Filipenský1-0/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Tue Mar 31 09:18:43 UTC 2026 on atb-devel-224
2026-03-31auth: Call talloc_keep_secret() for sensitive memoryPavel Filipenský2-0/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-31auth: Call ZERO_ARRAY()/ZERO_STRUCT() for sensitive variables on stackPavel Filipenský1-0/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-25auth: Remove talloc_set_name_const() if talloc_keep_secret() changes the ↵Pavel Filipenský2-5/+0
talloc name Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(timing): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(timing): Wed Mar 25 21:16:35 UTC 2026 on atb-devel-224
2026-03-25auth/credentials: Add talloc_keep_secret() to zero out old_passwordPavel Filipenský1-2/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
2026-03-25auth/credentials: Check talloc_strdup() for NULLPavel Filipenský1-4/+9
Return false if talloc_strdup() fails. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
2026-01-13auth/credentials: Zero memory in credentials_ntlm.cPavel Filipenský1-38/+34
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth: Fix typo "pass-though" -> "pass-through"Pavel Filipenský2-2/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-07credentials: Remove duplicate prototypesVolker Lendecke1-8/+0
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2025-12-08auth: Use new data_blob_..._s() functions and remove talloc_keep_secret()Pavel Filipenský1-2/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-09-03krb5: handle GSS-Proxy credentials lifetimeAlexander Bokovoy1-10/+26
GSS-Proxy stores its credential in encrypted form in the Kerberos ccache with a start and end time of 0 and a server principal in the realm named 'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer mechanism in MIT Kerberos and cannot be analysed with raw krb5 API. As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to return KRB5_PLUGIN_NO_HANDLE. The two places where smb_krb5_cc_get_lifetime() is used then handle this return code to avoid deciding on the 'expired' lifetime to cause a kinit. This fixes FreeIPA use case where an IPA API endpoint uses Samba Python bindings with a GSS-Proxy-controlled credential cache. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15902 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Wed Sep 3 10:15:50 UTC 2025 on atb-devel-224
2025-08-26auth: avoid strcmp(x, NULL)Douglas Bagnall1-1/+6
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-08-26auth: fix docs for cli_credentials_get_password_and_obtained()Douglas Bagnall1-1/+1
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-08-25auth:creds: Update the documentation for set_principal and set_realmAndreas Schneider1-6/+31
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Mon Aug 25 12:08:22 UTC 2025 on atb-devel-224
2025-08-25auth:creds: Make sure to uppercase the realm of a principalAndreas Schneider1-8/+32
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Validate realm names in set_realm and set_principalAndreas Schneider1-0/+25
See also https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#realm-name BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Keep password secret in cmdline_get_userpassword()Andreas Schneider1-0/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Keep the password secretAndreas Schneider1-0/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Allow to reset the principal by passing NULL to set_principalAndreas Schneider1-5/+10
We do that e.g. in cli_credentials_set_anonymous() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Also uppercase realm set via a callbackAndreas Schneider1-1/+12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Allow to reset the realm by passing NULLAndreas Schneider1-1/+8
This is e.g. done by cli_credentials_set_anonymous(). We can't call TALLOC_FREE(cred->realm), as this would break cli_credentials_shallow_copy(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Add cli_credentials_get_out_ccache_name()Andreas Schneider2-0/+6
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Always store the ccache nameAndreas Schneider2-0/+9
This will allow us to specify the cache as one to fill with credentials. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Make sure when parsing username that realm is uppercaseAndreas Schneider2-1/+8
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-05-15auth: Reduce indentationVolker Lendecke1-78/+78
Best reviewed with "git sh -b" Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2025-04-15auth:creds: Do a kinit if we have a password and the ccache is emptyAndreas Schneider1-18/+12
This implements the same behaviour for s4 clients as we have with s3 clients. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-02-04s3,s4: Make case spelling of sAMAccountName consistentPavel Filipenský1-1/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-01-08pycredentials: add [g|s]et_old_nt_hash()Stefan Metzmacher1-1/+56
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2024-12-12pycredentials: add py_netlogon_creds_kerberos_initStefan Metzmacher1-0/+68
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05pycredentials: add credentials.netlogon_creds_*() functions via ↵Stefan Metzmacher1-1/+1113
py_module_methods This makes it possible to explore the functions arround netlogon_creds_CredentialState via python. This allows us to write tests in order to explore the details of netr_ServerAuthenticateKerberos(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05pycredentials: add creds.[g|s]et_netlogon_creds()Stefan Metzmacher1-0/+89
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05pycredentials: remove unused module methodsStefan Metzmacher1-8/+8
It's not useful to use the PyCredentials methods also as module methods... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-10-30auth/credentials: remove unused netlogon_creds_session_encrypt()Stefan Metzmacher2-50/+0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30pycredentials: remove unused .encrypt_samr_password()Stefan Metzmacher1-51/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30pycredentials: add py_creds_encrypt_netr_PasswordInfo helperStefan Metzmacher1-0/+73
This will replace py_creds_encrypt_samr_password in the next steps and prepares the introduction of netr_ServerAuthenticateKerberos(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in ↵Stefan Metzmacher1-4/+15
py_creds_encrypt_netr_crypt_password These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-27lib: Add libcli/util/ntstatus.h in a few headers where it's neededVolker Lendecke1-0/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-06-24credentials: Protect the cred's nt hash with talloc_keep_secretVolker Lendecke1-0/+5
This avoids the need for an explict ZERO_STRUCT before TALLOC_FREE Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-19auth/credentials: don't ignore "client use kerberos" and --use-kerberos for ↵Stefan Metzmacher1-6/+25
machine accounts We only turn desired into off in the NT4 domain member case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224
2024-06-19auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()Stefan Metzmacher1-10/+27
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19auth/credentials: add cli_credentials_get_kerberos_state_obtained() helperStefan Metzmacher2-0/+6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-04creds: Add cli_credentials_add_gensec_featuresVolker Lendecke2-0/+12
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16auth:credentials: Check for NT hash being NULLJo Sutton1-0/+3
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-14auth/credentials_krb5: let cli_credentials_set_ccache() use ↵Stefan Metzmacher1-1/+5
smb_force_krb5_cc_default() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14auth/credentials_krb5: use system/{gssapi,kerberos}.hStefan Metzmacher1-3/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07auth/credentials: use smb_krb5_cc_new_unique_memory() in ↵Stefan Metzmacher1-14/+17
cli_credentials_new_ccache() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07auth/credentials: use smb_krb5_cc_new_unique_memory() in ↵Stefan Metzmacher1-7/+4
cli_credentials_shallow_ccache() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07auth/credentials: use smb_krb5_cc_new_unique_memory() in ↵Stefan Metzmacher1-11/+1
smb_gss_krb5_copy_ccache() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07auth/credentials: use smb_krb5_cc_new_unique_memory() in ↵Stefan Metzmacher1-14/+3
krb5_cc_remove_cred_wrap() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07auth:creds: Add test for cli_credentials_get_username_obtained()Andreas Schneider1-1/+3
Signed-off-by: Andreas Schneider <asn@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 23:03:11 +0000