summaryrefslogtreecommitdiff
path: root/auth
AgeCommit message (Collapse)AuthorFilesLines
2026-03-31auth: Check return of talloc_strdup() for NULLPavel Filipenský1-0/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Tue Mar 31 09:18:43 UTC 2026 on atb-devel-224
2026-03-31auth: Call talloc_keep_secret() for sensitive memoryPavel Filipenský2-0/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-31auth: Call ZERO_ARRAY()/ZERO_STRUCT() for sensitive variables on stackPavel Filipenský2-0/+5
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-25auth: Remove talloc_set_name_const() if talloc_keep_secret() changes the ↵Pavel Filipenský2-5/+0
talloc name Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(timing): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(timing): Wed Mar 25 21:16:35 UTC 2026 on atb-devel-224
2026-03-25auth/credentials: Add talloc_keep_secret() to zero out old_passwordPavel Filipenský1-2/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
2026-03-25auth/credentials: Check talloc_strdup() for NULLPavel Filipenský1-4/+9
Return false if talloc_strdup() fails. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
2026-02-17auth/credentials: Fix regression with --use-kerberos=desired for smbclientNoel Power1-5/+0
As part of the gse_krb5 processing the following call chain gensec_gse_client_start() ---> gensec_kerberos_possible() ---> cli_credentials_authentication_requested() gensec_kerberos_possible() will always fail when cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED It seems since use kerberos == desired is the default that it isn't necessary to see if credentials were modified to indicated authentication was requested. gensec_kerberos_possible() should afaics return true if kerberos is desired OR required (regardless of whether credentials were requested) This commit removes the knownfail associated with this bug. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 Signed-off-by: <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-02-15auth: Align integer typesVolker Lendecke1-2/+2
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2026-02-15auth: Avoid a DEBUGADD in kerberos_decode_pac()Volker Lendecke1-7/+6
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2026-02-15auth: Refactor check_pac_checksum to improve readabilityVolker Lendecke1-3/+3
Use ARRAY_SIZE over terminating array element. Easier to read for me. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2026-01-15auth:kerberos: Do not fail if PAC account name doesn’t match ticket ↵Jennifer Sutton1-3/+0
principal name Andrew Bartlett says: “These days, we can trust that the PAC has been validated by the library, and I think also that nobody could have put in a false PAC anyway (the KDC should stop clients setting pre-auth data of that type), so the validation step that fails isn't doing as much as it did 20 years ago. So I think we could simply patch [this] check to accept the canonical name and know that we just are working with that option [‘krb5 acceptor report canonical client name’] having been set.” Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2026-01-13auth/ntlmssp: Zero memory in ntlmssp_client.cPavel Filipenský1-9/+13
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Tue Jan 13 12:34:02 UTC 2026 on atb-devel-224
2026-01-13auth/ntlmssp: Add missing memory allocation checks is ntlmssp_client.cPavel Filipenský1-0/+12
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth/ntlmssp: Zero sensitive memory in gensec_ntlmssp.cPavel Filipenský1-1/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth/credentials: Zero memory in credentials_ntlm.cPavel Filipenský1-38/+34
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth/kerberos: Zero sensitive memory in gssapi_pac.cPavel Filipenský1-4/+7
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth/kerberos: Check memory allocation in gssapi_get_session_key()Pavel Filipenský1-0/+6
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth: Fix trailing whitespaces in gssapi_pac.cPavel Filipenský1-2/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13auth: Fix typo "pass-though" -> "pass-through"Pavel Filipenský2-2/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-07lib: Don't call a function to initialize an empty DATA_BLOBVolker Lendecke2-7/+7
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2026-01-07credentials: Remove duplicate prototypesVolker Lendecke1-8/+0
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2025-12-08auth: Use new data_blob_..._s() functions and remove talloc_keep_secret()Pavel Filipenský1-2/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-09-03krb5: handle GSS-Proxy credentials lifetimeAlexander Bokovoy1-10/+26
GSS-Proxy stores its credential in encrypted form in the Kerberos ccache with a start and end time of 0 and a server principal in the realm named 'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer mechanism in MIT Kerberos and cannot be analysed with raw krb5 API. As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to return KRB5_PLUGIN_NO_HANDLE. The two places where smb_krb5_cc_get_lifetime() is used then handle this return code to avoid deciding on the 'expired' lifetime to cause a kinit. This fixes FreeIPA use case where an IPA API endpoint uses Samba Python bindings with a GSS-Proxy-controlled credential cache. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15902 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Wed Sep 3 10:15:50 UTC 2025 on atb-devel-224
2025-08-26auth: avoid strcmp(x, NULL)Douglas Bagnall1-1/+6
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-08-26auth: fix docs for cli_credentials_get_password_and_obtained()Douglas Bagnall1-1/+1
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-08-25auth:creds: Update the documentation for set_principal and set_realmAndreas Schneider1-6/+31
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Mon Aug 25 12:08:22 UTC 2025 on atb-devel-224
2025-08-25auth:creds: Make sure to uppercase the realm of a principalAndreas Schneider1-8/+32
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Validate realm names in set_realm and set_principalAndreas Schneider1-0/+25
See also https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#realm-name BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Keep password secret in cmdline_get_userpassword()Andreas Schneider1-0/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Keep the password secretAndreas Schneider1-0/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Allow to reset the principal by passing NULL to set_principalAndreas Schneider1-5/+10
We do that e.g. in cli_credentials_set_anonymous() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Also uppercase realm set via a callbackAndreas Schneider1-1/+12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-25auth:creds: Allow to reset the realm by passing NULLAndreas Schneider1-1/+8
This is e.g. done by cli_credentials_set_anonymous(). We can't call TALLOC_FREE(cred->realm), as this would break cli_credentials_shallow_copy(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Add cli_credentials_get_out_ccache_name()Andreas Schneider2-0/+6
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Always store the ccache nameAndreas Schneider2-0/+9
This will allow us to specify the cache as one to fill with credentials. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-08-05auth:creds: Make sure when parsing username that realm is uppercaseAndreas Schneider2-1/+8
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-05-15auth: Reduce indentationVolker Lendecke1-78/+78
Best reviewed with "git sh -b" Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2025-04-15auth:creds: Do a kinit if we have a password and the ccache is emptyAndreas Schneider1-18/+12
This implements the same behaviour for s4 clients as we have with s3 clients. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2025-04-03s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true;Stefan Metzmacher1-0/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03auth: let make_user_info_dc_pac() cross check ↵Stefan Metzmacher1-0/+34
PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID If there's a mismatch someone doing strange things... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-14auth: remember the origin of sids from the PACStefan Metzmacher1-1/+22
So far the conversion from TGT PAC to struct auth_user_info_dc back to TGS PAC looses the information in what part of the PAC_LOGON_INFO a sid was stored. With this change we let make_user_info_dc_{netlogon_validation,pac}() remember this, so that auth_convert_user_info_dc_sam{baseinfo,info6}() can rebuild the information into the desired parts of the PAC_LOGON_INFO. This was found and fixed for sid filter related tests, but it turns out that it already fixes a few tests from samba.tests.krb5.device_tests. All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0), which means we use the same logic as before. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-14auth: simplify logic in make_user_info_dc_{netlogon_validation,pac}()Stefan Metzmacher1-15/+33
It's better to use (struct auth_SidAttr) {} in order to intialize all members. struct auth_SidAttr will change in the next commits and this makes it easier to review that we don't leave some parts uninitialized. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-14auth: let make_user_info_dc_netlogon_validation allocate the sid array in one goStefan Metzmacher1-22/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-14auth: let make_user_info_dc_netlogon_validation validate all parameters firstStefan Metzmacher1-17/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-14auth: remove sid-filtering comment in make_user_info_dc_netlogon_validationStefan Metzmacher1-6/+0
sid filtering will be done at a different level... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-04s3,s4: Make case spelling of sAMAccountName consistentPavel Filipenský1-1/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-01-17auth: Cleanup exit code paths in kerberos_decode_pac().Jeremy Allison1-45/+43
One more memory leak missed and now fixed. tmp_ctx must be freed once the pac data is talloc_move'd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Christian Ambach <ambi@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224
2025-01-16auth: Add missing talloc_free() in error code path.Jeremy Allison1-0/+1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224
2025-01-08pycredentials: add [g|s]et_old_nt_hash()Stefan Metzmacher1-1/+56
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2024-12-12auth_log: prepare for netr_ServerAuthenticateKerberosStefan Metzmacher2-2/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 18:01:02 +0000