Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lts-team/packages/samba
  • thctlo/samba-lintianfix
  • arnaudr/samba
  • jrwren/samba
  • paride/samba
  • athos/samba
  • henrich/samba
  • cnotin/samba
  • mimi89999/samba
  • samba-team/samba
  • ahasenack/samba
  • jrtc27/samba
  • noel/samba
13 results
Show changes
Commits on Source (2052)
Showing
with 1478 additions and 785 deletions
# https://clangd.llvm.org/config.html
CompileFlags:
CompilationDatabase: bin/default
# This file contains a list of git revisions that "git blame" should ignore.
# It's mostly useful to ignore commits that just do reformatting.
# See https://michaelheap.com/git-ignore-rev/
# To use locally, run:
# git config --global blame.ignoreRevsFile .git-blame-ignore-revs
bfa9624946a35e5645effbb20e02abba2c34a8c2
......@@ -47,7 +47,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
SAMBA_CI_CONTAINER_TAG: 790c229c42a67336099420d137fa9dc9974a133a
SAMBA_CI_CONTAINER_TAG: 190a74ee9628f298961d890ba37fcc7d213daae2
#
# We use the ubuntu2204 image as default as
# it matches what we have on atb-devel-224
......@@ -58,14 +58,13 @@ variables:
# Please see the samba-o3 sections at the end of this file!
# We should run that for each available image
#
SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ubuntu1804
SAMBA_CI_CONTAINER_IMAGE_ubuntu1804_32bit: ubuntu1804-32bit
SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004
SAMBA_CI_CONTAINER_IMAGE_ubuntu2204: ubuntu2204
SAMBA_CI_CONTAINER_IMAGE_debian11: debian11
SAMBA_CI_CONTAINER_IMAGE_opensuse154: opensuse154
SAMBA_CI_CONTAINER_IMAGE_fedora37: fedora37
SAMBA_CI_CONTAINER_IMAGE_f37mit120: f37mit120
SAMBA_CI_CONTAINER_IMAGE_debian11_32bit: debian11-32bit
SAMBA_CI_CONTAINER_IMAGE_debian12: debian12
SAMBA_CI_CONTAINER_IMAGE_opensuse155: opensuse155
SAMBA_CI_CONTAINER_IMAGE_fedora38: fedora38
SAMBA_CI_CONTAINER_IMAGE_centos7: centos7
SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s
......@@ -263,33 +262,18 @@ samba-def-build:
samba-mit-build:
extends: .shared_template_build_only
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
stage: build_first
samba-mit120-build:
extends: .shared_template_build_only
variables:
AUTOBUILD_JOB_NAME: samba-mit-build
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_f37mit120}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
stage: build_first
.needs_samba-mit-build:
extends: .shared_template_test_only
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
needs:
- job: samba-mit-build
artifacts: true
- job: samba-shellcheck
.needs_samba-mit120-build:
extends: .shared_template_test_only
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_f37mit120}
needs:
- job: samba-mit120-build
artifacts: true
samba-h5l-build:
extends: .shared_template_build_only
......@@ -332,7 +316,7 @@ samba:
samba-mitkrb5:
extends: .shared_template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
samba-minimal-smbd:
extends: .shared_template
......@@ -402,13 +386,13 @@ samba-addc-mit-4b:
samba-fips:
extends: .shared_template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
samba-shellcheck:
extends: .shared_template
needs:
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
stage: build_first
.private_test_only:
......@@ -435,11 +419,6 @@ samba-shellcheck:
- .needs_samba-mit-build
- .private_test_only
.needs_samba-mit120-build-private:
extends:
- .needs_samba-mit120-build
- .private_test_only
.needs_samba-h5l-build-private:
extends:
- .needs_samba-h5l-build
......@@ -467,7 +446,7 @@ samba-fileserver-without-smb1:
extends: .needs_samba-without-smb1-build-private
# This is a full build without the AD DC so we test the build with MIT
# Kerberos from the default system (Ubuntu 18.04 at this stage).
# Kerberos from the default system (Ubuntu 22.04 at this stage).
# Runtime behaviour checked via the ktest (static ccache and keytab)
# environment
samba-ktest-mit:
......@@ -482,11 +461,6 @@ samba-nt4:
samba-addc-mit-1:
extends: .needs_samba-mit-build-private
samba-addc-mit120:
extends: .needs_samba-mit120-build-private
variables:
AUTOBUILD_JOB_NAME: samba-addc-mit-1
samba-no-opath1:
extends: .needs_samba-no-opath-build-private
......@@ -529,7 +503,7 @@ pages:
- samba-fips
- samba-no-opath1
- samba-no-opath2
- ubuntu1804-samba-o3
- ubuntu2204-samba-o3
script:
- ls -la *.info
- ./configure.developer
......@@ -550,7 +524,7 @@ pages:
coverity:
extends: .shared_runner_build_image
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse155}
stage: build
script:
- wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O /tmp/coverity_tool.tgz
......@@ -579,11 +553,11 @@ coverity:
paths:
- cov-int/*.txt
ubuntu1804-samba-32bit:
debian11-samba-32bit:
extends: .shared_template
variables:
AUTOBUILD_JOB_NAME: samba-32bit
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804_32bit}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11_32bit}
#
# We build samba-o3 on all supported distributions
......@@ -597,11 +571,11 @@ ubuntu1804-samba-32bit:
# when -O3 gets combined with --enable-coverage in the scheduled
# builds.
ubuntu1804-samba-o3:
ubuntu2204-samba-o3:
extends: .shared_template
variables:
AUTOBUILD_JOB_NAME: samba-o3
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2204}
SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
rules:
# See above, to avoid a duplicate CI on the MR (these rules override the others)
......@@ -633,20 +607,20 @@ ubuntu2004-samba-o3:
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004}
ubuntu2204-samba-o3:
debian11-samba-o3:
extends: .samba-o3-template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2204}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11}
debian11-samba-o3:
debian12-samba-o3:
extends: .samba-o3-template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian12}
opensuse154-samba-o3:
opensuse155-samba-o3:
extends: .samba-o3-template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse155}
centos7-samba-o3:
extends: .samba-o3-template
......@@ -662,10 +636,10 @@ centos8s-samba-o3:
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8s}
fedora37-samba-o3:
fedora38-samba-o3:
extends: .samba-o3-template
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora37}
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38}
#
# Keep the samba-o3 sections at the end ...
......
#
# GitLeaks Repo Specific Configuration
#
# This allowlist is used to help Red Hat ignore false positives during its code
# scans.
[allowlist]
paths = [
'''docs-xml/manpages/smbstatus.1.xml''',
'''selftests/*''',
'''source3/script/tests/*''',
'''source4/dsdb/tests/*''',
'''source4/torture/*''',
'''testprogs/blackbox/*''',
'''tests/*''',
]
......@@ -97,9 +97,6 @@ etags:
ctags:
$(WAF) ctags
pydoctor:
$(WAF) pydoctor
pep8:
$(WAF) pep8
......@@ -133,7 +130,7 @@ bin/%: FORCE
FORCE:
# Having .NOTPARALLEL will force make to do target once at a time but still -j
# will be present in the MAKEFLAGS that are in turn interpreted by WAF
# so only 1 waf at a time will be called but it will still be able to do parralel builds if
# so only 1 waf at a time will be called but it will still be able to do parallel builds if
# instructed to do so
.NOTPARALLEL: %
.PHONY: FORCE everything testsuite check torture
......@@ -183,7 +183,7 @@ This is bad:
* with some more words...*/
```
### Indention & Whitespace & 80 columns
### Indentation & Whitespace & 80 columns
To avoid confusion, indentations have to be tabs with length 8 (not 8
' ' characters). When wrapping parameters for function calls,
......
......@@ -24,8 +24,8 @@
# -> "3.0.0" #
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
SAMBA_VERSION_RELEASE=6
SAMBA_VERSION_MINOR=19
SAMBA_VERSION_RELEASE=0
########################################################
# If a official release has a serious bug #
......@@ -117,7 +117,7 @@ SAMBA_VERSION_RELEASE_NICKNAME=
# #
# <MAJOR>.<MINOR>.<RELEASE>[...]-<VENDOR_SUFFIX> #
# #
# Note the '-' is automaticaly added #
# Note the '-' is automatically added #
# #
# e.g. SAMBA_VERSION_VENDOR_SUFFIX=VendorVersion #
# -> "3.0.0rc2-VendorVersion" #
......
This diff is collapsed.
......@@ -25,6 +25,8 @@
#define AUTH_FAILURE_LEVEL 2
#define AUTH_SUCCESS_LEVEL 3
#define AUTHZ_SUCCESS_LEVEL 4
#define KDC_AUTHZ_FAILURE_LEVEL 2
#define KDC_AUTHZ_SUCCESS_LEVEL 3
/* 5 is used for both authentication and authorization */
#define AUTH_ANONYMOUS_LEVEL 5
......@@ -32,6 +34,7 @@
#define AUTHZ_JSON_TYPE "Authorization"
#define AUTH_JSON_TYPE "Authentication"
#define KDC_AUTHZ_JSON_TYPE "KDC Authorization"
/*
* JSON message version numbers
......@@ -41,9 +44,11 @@
* increment the major version.
*/
#define AUTH_MAJOR 1
#define AUTH_MINOR 2
#define AUTH_MINOR 3
#define AUTHZ_MAJOR 1
#define AUTHZ_MINOR 1
#define AUTHZ_MINOR 2
#define KDC_AUTHZ_MAJOR 1
#define KDC_AUTHZ_MINOR 0
#include "includes.h"
#include "../lib/tsocket/tsocket.h"
......@@ -124,7 +129,7 @@ static enum event_logon_type get_logon_type(
*
* IF adding a new field please update the minor version number AUTH_MINOR
*
* To process the resulting log lines from the commend line use jq to
* To process the resulting log lines from the command line use jq to
* parse the json.
*
* grep "^ {" log file |
......@@ -144,12 +149,15 @@ static void log_authentication_event_json(
const char *domain_name,
const char *account_name,
struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
enum event_id_type event_id,
int debug_level)
{
struct json_object wrapper = json_empty_object;
struct json_object authentication = json_empty_object;
char negotiate_flags[11];
struct json_object client_policy = json_null_object();
struct json_object server_policy = json_null_object();
char logon_id[19];
int rc = 0;
const char *clientDomain = ui->orig_client.domain_name ?
......@@ -257,12 +265,9 @@ static void log_authentication_event_json(
if (rc != 0) {
goto failure;
}
snprintf(negotiate_flags,
sizeof( negotiate_flags),
"0x%08X",
ui->netlogon_trust_account.negotiate_flags);
rc = json_add_string(
&authentication, "netlogonNegotiateFlags", negotiate_flags);
rc = json_add_flags32(
&authentication, "netlogonNegotiateFlags",
ui->netlogon_trust_account.negotiate_flags);
if (rc != 0) {
goto failure;
}
......@@ -284,6 +289,30 @@ static void log_authentication_event_json(
goto failure;
}
if (client_audit_info != NULL) {
client_policy = json_from_audit_info(client_audit_info);
if (json_is_invalid(&client_policy)) {
goto failure;
}
}
rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy);
if (rc != 0) {
goto failure;
}
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
wrapper = json_new_object();
if (json_is_invalid(&wrapper)) {
goto failure;
......@@ -326,6 +355,8 @@ static void log_authentication_event_json(
json_free(&wrapper);
return;
failure:
json_free(&server_policy);
json_free(&client_policy);
/*
* On a failure authentication will not have been added to wrapper so it
* needs to be freed to avoid a leak.
......@@ -345,7 +376,7 @@ failure:
*
* IF adding a new field please update the minor version number AUTHZ_MINOR
*
* To process the resulting log lines from the commend line use jq to
* To process the resulting log lines from the command line use jq to
* parse the json.
*
* grep "^ {" log_file |\
......@@ -364,11 +395,14 @@ static void log_successful_authz_event_json(
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
int debug_level)
{
struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object;
char account_flags[11];
struct json_object client_policy = json_null_object();
struct json_object server_policy = json_null_object();
int rc = 0;
authorization = json_new_object();
......@@ -407,7 +441,7 @@ static void log_successful_authz_event_json(
goto failure;
}
rc = json_add_sid(
&authorization, "sid", &session_info->security_token->sids[0]);
&authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
if (rc != 0) {
goto failure;
}
......@@ -426,12 +460,31 @@ static void log_successful_authz_event_json(
if (rc != 0) {
goto failure;
}
rc = json_add_flags32(&authorization, "accountFlags", session_info->info->acct_flags);
if (rc != 0) {
goto failure;
}
if (client_audit_info != NULL) {
client_policy = json_from_audit_info(client_audit_info);
if (json_is_invalid(&client_policy)) {
goto failure;
}
}
rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy);
if (rc != 0) {
goto failure;
}
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
snprintf(account_flags,
sizeof(account_flags),
"0x%08X",
session_info->info->acct_flags);
rc = json_add_string(&authorization, "accountFlags", account_flags);
rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
......@@ -461,6 +514,8 @@ static void log_successful_authz_event_json(
json_free(&wrapper);
return;
failure:
json_free(&server_policy);
json_free(&client_policy);
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak.
......@@ -471,6 +526,143 @@ failure:
DBG_ERR("Unable to log Authentication event JSON audit message\n");
}
/*
* Log details of an authorization to a service, in a machine parsable json
* format
*
* IF removing or changing the format/meaning of a field please update the
* major version number KDC_AUTHZ_MAJOR
*
* IF adding a new field please update the minor version number KDC_AUTHZ_MINOR
*
* To process the resulting log lines from the command line use jq to
* parse the json.
*
* grep "^ {" log_file |\
* jq -rc '"\(.timestamp)\t
* \(."KDC Authorization".domain)\t
* \(."KDC Authorization".account)\t
* \(."KDC Authorization".remoteAddress)"'
*
*/
static void log_authz_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
const char *account_name,
const struct dom_sid *sid,
const char *logon_server,
const struct timeval authtime,
NTSTATUS status,
int debug_level)
{
struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object;
struct json_object server_policy = json_null_object();
int rc = 0;
authorization = json_new_object();
if (json_is_invalid(&authorization)) {
goto failure;
}
rc = json_add_version(&authorization, KDC_AUTHZ_MAJOR, KDC_AUTHZ_MINOR);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authorization, "status", nt_errstr(status));
if (rc != 0) {
goto failure;
}
rc = json_add_address(&authorization, "localAddress", local);
if (rc != 0) {
goto failure;
}
rc = json_add_address(&authorization, "remoteAddress", remote);
if (rc != 0) {
goto failure;
}
rc = json_add_string(
&authorization, "serviceDescription", service_description);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authorization, "authType", auth_type);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authorization, "domain", domain_name);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authorization, "account", account_name);
if (rc != 0) {
goto failure;
}
rc = json_add_sid(&authorization, "sid", sid);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authorization, "logonServer", logon_server);
if (rc != 0) {
goto failure;
}
rc = json_add_time(&authorization, "authTime", authtime);
if (rc != 0) {
goto failure;
}
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
wrapper = json_new_object();
if (json_is_invalid(&wrapper)) {
goto failure;
}
rc = json_add_timestamp(&wrapper);
if (rc != 0) {
goto failure;
}
rc = json_add_string(&wrapper, "type", KDC_AUTHZ_JSON_TYPE);
if (rc != 0) {
goto failure;
}
rc = json_add_object(&wrapper, KDC_AUTHZ_JSON_TYPE, &authorization);
if (rc != 0) {
goto failure;
}
log_json(msg_ctx,
lp_ctx,
&wrapper,
DBGC_AUTH_AUDIT_JSON,
debug_level);
json_free(&wrapper);
return;
failure:
json_free(&server_policy);
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak.
*/
json_free(&authorization);
json_free(&wrapper);
DBG_ERR("Unable to log KDC Authorization event JSON audit message\n");
}
#else
static void log_no_json(struct imessaging_context *msg_ctx,
......@@ -491,8 +683,6 @@ static void log_no_json(struct imessaging_context *msg_ctx,
"compiled with jansson\n");
}
}
return;
}
static void log_authentication_event_json(
......@@ -504,11 +694,12 @@ static void log_authentication_event_json(
const char *domain_name,
const char *account_name,
struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
enum event_id_type event_id,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
return;
}
static void log_successful_authz_event_json(
......@@ -520,10 +711,30 @@ static void log_successful_authz_event_json(
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
}
static void log_authz_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
const char *account_name,
const struct dom_sid *sid,
const char *logon_server,
const struct timeval authtime,
NTSTATUS status,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
return;
}
#endif
......@@ -682,7 +893,9 @@ void log_authentication_event(
NTSTATUS status,
const char *domain_name,
const char *account_name,
struct dom_sid *sid)
struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info)
{
/* set the log level */
int debug_level = AUTH_FAILURE_LEVEL;
......@@ -714,6 +927,8 @@ void log_authentication_event(
domain_name,
account_name,
sid,
client_audit_info,
server_audit_info,
event_id,
debug_level);
}
......@@ -758,7 +973,7 @@ static void log_successful_authz_event_human_readable(
auth_type,
log_escape(frame, session_info->info->domain_name),
log_escape(frame, session_info->info->account_name),
dom_sid_str_buf(&session_info->security_token->sids[0],
dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
&sid_buf),
ts,
remote_str,
......@@ -787,7 +1002,9 @@ void log_successful_authz_event(
const char *service_description,
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info)
struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info)
{
int debug_level = AUTHZ_SUCCESS_LEVEL;
......@@ -813,6 +1030,54 @@ void log_successful_authz_event(
auth_type,
transport_protection,
session_info,
client_audit_info,
server_audit_info,
debug_level);
}
}
/*
* Log details of an authorization to a service.
*
* NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the
* authorization events over the message bus.
*/
void log_authz_event(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
const char *account_name,
const struct dom_sid *sid,
const char *logon_server,
const struct timeval authtime,
NTSTATUS status)
{
/* set the log level */
int debug_level = KDC_AUTHZ_FAILURE_LEVEL;
if (NT_STATUS_IS_OK(status)) {
debug_level = KDC_AUTHZ_SUCCESS_LEVEL;
}
if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
(msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
log_authz_event_json(msg_ctx, lp_ctx,
remote,
local,
server_audit_info,
service_description,
auth_type,
domain_name,
account_name,
sid,
logon_server,
authtime,
status,
debug_level);
}
}
This diff is collapsed.
......@@ -47,13 +47,18 @@ struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
struct netr_SamInfo6 **_sam6);
enum auth_group_inclusion group_inclusion,
struct netr_SamInfo6 **_sam6,
struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups);
NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
enum auth_group_inclusion group_inclusion,
struct netr_SamInfo2 **_sam2);
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
struct netr_SamInfo3 **_sam3);
enum auth_group_inclusion group_inclusion,
struct netr_SamInfo3 **_sam3,
struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups);
/**
* Make a user_info_dc struct from the info3 returned by a domain logon
......@@ -71,6 +76,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
const struct PAC_LOGON_INFO *pac_logon_info,
const struct PAC_UPN_DNS_INFO *pac_upn_dns_info,
enum auth_group_inclusion group_inclusion,
struct auth_user_info_dc **_user_info_dc);
/* The following definitions come from auth/wbc_auth_util.c */
......
/*
Unix SMB/CIFS implementation.
Samba Active Directory authentication policy functions
Copyright (C) Catalyst.Net Ltd 2023
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "lib/replace/replace.h"
#include "auth/authn_policy.h"
#include "auth/authn_policy_impl.h"
bool authn_policy_is_enforced(const struct authn_policy *policy)
{
return policy->enforced;
}
/* Authentication policies for Kerberos clients. */
/* Is an authentication policy enforced? */
bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
{
return authn_policy_is_enforced(&policy->policy);
}
/* Get the raw TGT lifetime enforced by an authentication policy. */
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
{
if (policy == NULL) {
return 0;
}
if (!authn_policy_is_enforced(&policy->policy)) {
return 0;
}
return policy->tgt_lifetime_raw;
}
/* Auditing information. */
enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
{
bool is_enforced;
if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
/* We didn’t get an error. */
return AUTH_EVT_ID_NONE;
}
if (audit_info->policy == NULL) {
/*
* We got an error, but there’s no policy, so it must have
* stemmed from something else.
*/
return AUTH_EVT_ID_NONE;
}
is_enforced = authn_policy_is_enforced(audit_info->policy);
switch (audit_info->event) {
case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
if (is_enforced) {
return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
}
return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
if (is_enforced) {
return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
}
return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
if (is_enforced) {
return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
}
/* No relevant event ID. */
break;
case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
case AUTHN_AUDIT_EVENT_OTHER_ERROR:
default:
/* No relevant event ID. */
break;
}
return AUTH_EVT_ID_NONE;
}
const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
{
if (audit_info->policy == NULL) {
return NULL;
}
return audit_info->policy->silo_name;
}
const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
{
if (audit_info->policy == NULL) {
return NULL;
}
return audit_info->policy->policy_name;
}
const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
{
if (audit_info->policy == NULL) {
return NULL;
}
return &audit_info->policy->enforced;
}
const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
{
return audit_info->client_info;
}
const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
{
switch (audit_info->event) {
case AUTHN_AUDIT_EVENT_OK:
return "OK";
case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
return "KERBEROS_DEVICE_RESTRICTION";
case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
return "KERBEROS_SERVER_RESTRICTION";
case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
return "NTLM_DEVICE_RESTRICTION";
case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
return "NTLM_SERVER_RESTRICTION";
case AUTHN_AUDIT_EVENT_OTHER_ERROR:
default:
return "OTHER_ERROR";
}
}
const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
{
switch (audit_info->reason) {
case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
return "DESCRIPTOR_INVALID";
case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
return "DESCRIPTOR_NO_OWNER";
case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
return "SECURITY_TOKEN_FAILURE";
case AUTHN_AUDIT_REASON_ACCESS_DENIED:
return "ACCESS_DENIED";
case AUTHN_AUDIT_REASON_FAST_REQUIRED:
return "FAST_REQUIRED";
case AUTHN_AUDIT_REASON_NONE:
default:
return NULL;
}
}
NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
{
return audit_info->policy_status;
}
const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
{
return audit_info->location;
}
struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
{
int64_t lifetime;
if (!audit_info->tgt_lifetime_raw.is_present) {
return authn_int64_none();
}
lifetime = audit_info->tgt_lifetime_raw.val;
lifetime /= INT64_C(1000) * 1000 * 10 * 60;
return authn_int64_some(lifetime);
}
/*
Unix SMB/CIFS implementation.
Samba Active Directory authentication policy functions
Copyright (C) Catalyst.Net Ltd 2023
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef KDC_AUTHN_POLICY_H
#define KDC_AUTHN_POLICY_H
#include "lib/replace/replace.h"
#include "libcli/util/ntstatus.h"
#include "librpc/gen_ndr/windows_event_ids.h"
/* Authentication policies for Kerberos clients. */
struct authn_kerberos_client_policy;
/* Is an authentication policy enforced? */
bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy);
/* Get the raw TGT lifetime enforced by an authentication policy. */
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
/* Auditing information. */
struct authn_audit_info;
/* This enum should be kept in sync with authn_audit_info_event(). */
enum authn_audit_event {
AUTHN_AUDIT_EVENT_OK = 0,
AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION,
AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION,
AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION,
AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION,
AUTHN_AUDIT_EVENT_OTHER_ERROR,
};
/* This enum should be kept in sync with authn_audit_info_reason(). */
enum authn_audit_reason {
AUTHN_AUDIT_REASON_NONE = 0,
AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID,
AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER,
AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE,
AUTHN_AUDIT_REASON_ACCESS_DENIED,
AUTHN_AUDIT_REASON_FAST_REQUIRED,
};
enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info);
const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info);
const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info);
const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info);
const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info);
const char *authn_audit_info_event(const struct authn_audit_info *audit_info);
const char *authn_audit_info_reason(const struct authn_audit_info *audit_info);
NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info);
const char *authn_audit_info_location(const struct authn_audit_info *audit_info);
struct authn_int64_optional {
bool is_present;
int64_t val;
};
struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info);
#endif
/*
/*
Unix SMB/CIFS implementation.
Utility functions for Samba
Copyright (C) Jelmer Vernooij 2008
Samba Active Directory authentication policy private implementation details
Copyright (C) Catalyst.Net Ltd 2023
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef __SAMBA_COM_H__
#define __SAMBA_COM_H__
#ifndef KDC_AUTHN_POLICY_IMPL_H
#define KDC_AUTHN_POLICY_IMPL_H
#include <talloc.h>
#include "librpc/gen_ndr/misc.h"
#include "lib/replace/replace.h"
struct com_context;
struct tevent_context;
#include "auth/authn_policy.h"
#include "lib/util/data_blob.h"
#include "libcli/util/ntstatus.h"
struct com_context
{
struct dcom_client_context *dcom;
struct tevent_context *event_ctx;
struct com_extension {
uint32_t id;
void *data;
struct com_extension *prev, *next;
} *extensions;
struct loadparm_context *lp_ctx;
struct authn_policy {
const char *silo_name;
const char *policy_name;
bool enforced;
};
struct IUnknown *com_class_by_clsid(struct com_context *ctx, const struct GUID *clsid);
NTSTATUS com_register_running_class(TALLOC_CTX *ctx, struct GUID *clsid, const char *progid, struct IUnknown *p);
bool authn_policy_is_enforced(const struct authn_policy *policy);
struct dcom_interface_p *dcom_get_local_iface_p(struct GUID *ipid);
struct authn_kerberos_client_policy {
struct authn_policy policy;
DATA_BLOB allowed_to_authenticate_from;
int64_t tgt_lifetime_raw;
};
WERROR com_init_ctx(struct com_context **ctx, struct tevent_context *event_ctx);
WERROR com_create_object(struct com_context *ctx, struct GUID *clsid, int num_ifaces, struct GUID *iid, struct IUnknown **ip, WERROR *results);
WERROR com_get_class_object(struct com_context *ctx, struct GUID *clsid, struct GUID *iid, struct IUnknown **ip);
NTSTATUS com_init(void);
struct authn_ntlm_client_policy {
struct authn_policy policy;
DATA_BLOB allowed_to_authenticate_from;
bool allowed_ntlm_network_auth;
};
typedef struct IUnknown *(*get_class_object_function) (const struct GUID *clsid);
struct authn_server_policy {
struct authn_policy policy;
DATA_BLOB allowed_to_authenticate_to;
};
/* Auditing information. */
struct authn_audit_info {
struct authn_policy *policy;
const struct auth_user_info_dc *client_info;
enum authn_audit_event event;
enum authn_audit_reason reason;
NTSTATUS policy_status;
const char *location;
struct authn_int64_optional tgt_lifetime_raw;
};
static inline struct authn_int64_optional authn_int64_some(const int64_t val)
{
return (struct authn_int64_optional) {
.is_present = true,
.val = val,
};
}
static inline struct authn_int64_optional authn_int64_none(void)
{
return (struct authn_int64_optional) {
.is_present = false,
};
}
#endif /* __SAMBA_COM_H__ */
#endif
......@@ -37,7 +37,7 @@ enum auth_password_state {
#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
......@@ -177,14 +177,17 @@ struct auth4_context {
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
struct authn_audit_info;
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
const char *domain_name,
struct dom_sid *sid);
const char *account_name,
struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info);
/*
* Log details of a successful authorization to a service.
......@@ -206,5 +209,29 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx,
const char *service_description,
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info);
struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info);
/*
* Log details of an authorization to a service.
*
* NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the
* authorization events over the message bus.
*/
void log_authz_event(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
const char *account_name,
const struct dom_sid *sid,
const char *logon_server,
const struct timeval authtime,
NTSTATUS status);
#endif
......@@ -210,7 +210,7 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
*
* @param[in] obtained A pointer to store the obtained information.
*
* return The user name or NULL if an error occured.
* return The user name or NULL if an error occurred.
*/
_PUBLIC_ const char *
cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
......@@ -259,7 +259,7 @@ _PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
* Obtain the BIND DN for this credentials context.
* @param cred credentials context
* @retval The username set on this context.
* @note Return value will be NULL if not specified explictly
* @note Return value will be NULL if not specified explicitly
*/
_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
{
......@@ -459,7 +459,7 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
*
* @param[in] obtained A pointer to store the obtained information.
*
* return The user name or NULL if an error occured.
* return The user name or NULL if an error occurred.
*/
_PUBLIC_ const char *
cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
......@@ -1290,7 +1290,7 @@ _PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cr
}
/**
* Return NETLOGON secure chanel type
* Return NETLOGON secure channel type
*/
_PUBLIC_ time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred)
......@@ -1309,7 +1309,7 @@ _PUBLIC_ void cli_credentials_set_password_last_changed_time(struct cli_credenti
}
/**
* Return NETLOGON secure chanel type
* Return NETLOGON secure channel type
*/
_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
......@@ -1556,7 +1556,7 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
char pass[128];
for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
p && p - pass < sizeof(pass);) {
p && p - pass < sizeof(pass) - 1;) {
switch (read(fd, p, 1)) {
case 1:
if (*p != '\n' && *p != '\0') {
......@@ -1619,7 +1619,7 @@ _PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
* @param[in] creds The credential structure to obtain the SMB signing state
* from.
*
* @return The SMB singing state.
* @return The SMB signing state.
*/
_PUBLIC_ enum smb_signing_setting
cli_credentials_get_smb_signing(struct cli_credentials *creds)
......@@ -1658,7 +1658,7 @@ cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
* @param[in] creds The credential structure to obtain the SMB IPC signing
* state from.
*
* @return The SMB singing state.
* @return The SMB signing state.
*/
_PUBLIC_ enum smb_signing_setting
cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
......@@ -1858,7 +1858,7 @@ _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds)
* @param[in] creds The credential structure to obtain the SMB encryption state
* from.
*
* @return The SMB singing state.
* @return The SMB signing state.
*/
_PUBLIC_ enum smb_encryption_setting
cli_credentials_get_smb_encryption(struct cli_credentials *creds)
......
/*
/*
samba -- Unix SMB/CIFS implementation.
Client credentials structure
......@@ -10,12 +10,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
......@@ -42,7 +42,7 @@ enum smb_signing_setting;
enum smb_encryption_setting;
/* In order of priority */
enum credentials_obtained {
enum credentials_obtained {
CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
CRED_SMB_CONF, /* Current value should be used, which comes from smb.conf */
CRED_CALLBACK, /* Callback should be used to obtain value */
......@@ -81,8 +81,8 @@ enum credentials_krb_forwardable {
#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
const char *cli_credentials_get_workstation(struct cli_credentials *cred);
bool cli_credentials_set_workstation(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_workstation(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
bool cli_credentials_is_anonymous(struct cli_credentials *cred);
struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
......@@ -93,29 +93,29 @@ bool cli_credentials_wrong_password(struct cli_credentials *cred);
const char *cli_credentials_get_password(struct cli_credentials *cred);
const char *cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
enum credentials_obtained *obtained);
void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
const char **username,
void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
const char **username,
const char **domain);
NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge,
const NTTIME *server_timestamp,
DATA_BLOB target_info,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
const char *cli_credentials_get_realm(struct cli_credentials *cred);
const char *cli_credentials_get_username(struct cli_credentials *cred);
const char *cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
enum credentials_obtained *obtained);
int cli_credentials_get_krb5_context(struct cli_credentials *cred,
int cli_credentials_get_krb5_context(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context);
int cli_credentials_get_ccache(struct cli_credentials *cred,
int cli_credentials_get_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **ccc,
const char **error_string);
int cli_credentials_get_named_ccache(struct cli_credentials *cred,
int cli_credentials_get_named_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
char *ccache_name,
......@@ -123,7 +123,7 @@ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
const char *principal,
unsigned int *count);
int cli_credentials_get_keytab(struct cli_credentials *cred,
int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc);
const char *cli_credentials_get_domain(struct cli_credentials *cred);
......@@ -133,10 +133,10 @@ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
bool cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc,
......@@ -148,22 +148,22 @@ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_obtained obtained);
void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
enum credentials_krb_forwardable krb_forwardable);
bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
const char *(*domain_cb) (struct cli_credentials *));
bool cli_credentials_set_username(struct cli_credentials *cred,
bool cli_credentials_set_username(struct cli_credentials *cred,
const char *val, enum credentials_obtained obtained);
bool cli_credentials_set_username_callback(struct cli_credentials *cred,
const char *(*username_cb) (struct cli_credentials *));
bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
const char *(*principal_cb) (struct cli_credentials *));
bool cli_credentials_set_password(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
......@@ -171,8 +171,8 @@ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx);
struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx);
bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
enum netr_SchannelType secure_channel_type);
......@@ -181,7 +181,7 @@ void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred
void cli_credentials_set_netlogon_creds(
struct cli_credentials *cred,
const struct netlogon_creds_CredentialState *netlogon_creds);
NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
struct smb_krb5_context *smb_krb5_context);
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
......@@ -206,7 +206,7 @@ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred
bool cli_credentials_authentication_requested(struct cli_credentials *cred);
bool cli_credentials_guess(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
const char *bind_dn);
const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
......@@ -224,8 +224,9 @@ bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
const DATA_BLOB *password_utf16);
void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
bool val);
bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash);
......@@ -235,23 +236,23 @@ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
const DATA_BLOB *nt_response,
const DATA_BLOB *nt_session_key,
enum credentials_obtained obtained);
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *keytab_name,
const char *keytab_name,
enum credentials_obtained obtained);
bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
uint32_t gensec_features,
enum credentials_obtained obtained);
uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
int cli_credentials_set_ccache(struct cli_credentials *cred,
int cli_credentials_set_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *name,
const char *name,
enum credentials_obtained obtained,
const char **error_string);
bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
int fd, enum credentials_obtained obtained);
void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained);
void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
......@@ -265,11 +266,11 @@ const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
const char *filter,
const char *filter,
char **error_string);
int cli_credentials_get_kvno(struct cli_credentials *cred);
......@@ -283,8 +284,8 @@ bool cli_credentials_set_username_callback(struct cli_credentials *cred,
* @note Return value will never be NULL except by programmer error.
*/
char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
const char *(*principal_cb) (struct cli_credentials *));
......@@ -295,8 +296,8 @@ bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
* @retval If set, the cleartext password, otherwise NULL
*/
const char *cli_credentials_get_old_password(struct cli_credentials *cred);
bool cli_credentials_set_old_password(struct cli_credentials *cred,
const char *val,
bool cli_credentials_set_old_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
const char *(*domain_cb) (struct cli_credentials *));
......@@ -336,7 +337,7 @@ bool cli_credentials_set_cmdline_callbacks(struct cli_credentials *cred);
void cli_credentials_dump(struct cli_credentials *creds);
/**
* Return attached NETLOGON credentials
* Return attached NETLOGON credentials
*/
struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
......
......@@ -110,7 +110,7 @@ struct cli_credentials {
/* Should we get a forwardable ticket? */
enum credentials_krb_forwardable krb_forwardable;
/* Forced SASL mechansim */
/* Forced SASL mechanism */
char *forced_sasl_mech;
/* gensec features which should be used for connections */
......
/*
/*
Unix SMB/CIFS implementation.
Handle user credentials (as regards krb5)
......@@ -6,17 +6,17 @@
Copyright (C) Jelmer Vernooij 2005
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
......@@ -192,9 +192,9 @@ static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat,
ccc->ccache);
}
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
struct smb_krb5_context **smb_krb5_context)
{
int ret;
if (cred->smb_krb5_context) {
......@@ -215,7 +215,7 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
/* For most predictable behaviour, this needs to be called directly after the cli_credentials_init(),
* otherwise we may still have references to the old smb_krb5_context in a credential cache etc
*/
_PUBLIC_ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
struct smb_krb5_context *smb_krb5_context)
{
if (smb_krb5_context == NULL) {
......@@ -231,7 +231,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
return NT_STATUS_OK;
}
static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
struct ccache_container *ccache,
enum credentials_obtained obtained,
const char **error_string)
......@@ -246,7 +246,7 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return 0;
}
ret = krb5_cc_get_principal(ccache->smb_krb5_context->krb5_context,
ret = krb5_cc_get_principal(ccache->smb_krb5_context->krb5_context,
ccache->ccache, &princ);
if (ret) {
......@@ -255,7 +255,7 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
ret, cred));
return ret;
}
ret = krb5_unparse_name(ccache->smb_krb5_context->krb5_context, princ, &name);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to unparse principal from ccache: %s\n",
......@@ -289,7 +289,7 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return 0;
}
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained,
......@@ -594,7 +594,7 @@ _PUBLIC_ bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred
}
static int cli_credentials_new_ccache(struct cli_credentials *cred,
static int cli_credentials_new_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **_ccc,
......@@ -625,10 +625,10 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
must_free_cc_name = true;
if (lpcfg_parm_bool(lp_ctx, NULL, "credentials", "krb5_cc_file", false)) {
ccache_name = talloc_asprintf(ccc, "FILE:/tmp/krb5_cc_samba_%u_%p",
ccache_name = talloc_asprintf(ccc, "FILE:/tmp/krb5_cc_samba_%u_%p",
(unsigned int)getpid(), ccc);
} else {
ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
ccc);
}
......@@ -639,7 +639,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
}
}
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
&ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to resolve a krb5 ccache (%s): %s\n",
......@@ -666,7 +666,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
return 0;
}
_PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
char *ccache_name,
......@@ -675,12 +675,12 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
{
krb5_error_code ret;
enum credentials_obtained obtained;
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred, lp_ctx);
}
if (cred->ccache_obtained >= cred->ccache_threshold &&
if (cred->ccache_obtained >= cred->ccache_threshold &&
cred->ccache_obtained > CRED_UNINITIALISED) {
time_t lifetime;
bool expired = false;
......@@ -696,7 +696,7 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
cli_credentials_get_principal(cred, cred)));
expired = true;
} else if (lifetime < 300) {
DEBUG(3, ("Ticket in credentials cache for %s will shortly expire (%u secs), will refresh\n",
DEBUG(3, ("Ticket in credentials cache for %s will shortly expire (%u secs), will refresh\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
expired = true;
}
......@@ -707,9 +707,9 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
return ret;
}
DEBUG(5, ("Ticket in credentials cache for %s will expire in %u secs\n",
DEBUG(5, ("Ticket in credentials cache for %s will expire in %u secs\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
if (!expired) {
*ccc = cred->ccache;
return 0;
......@@ -730,9 +730,9 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
return ret;
}
ret = cli_credentials_set_from_ccache(cred, *ccc,
ret = cli_credentials_set_from_ccache(cred, *ccc,
obtained, error_string);
cred->ccache = *ccc;
cred->ccache_obtained = cred->principal_obtained;
if (ret) {
......@@ -742,7 +742,7 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
return 0;
}
_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **ccc,
......@@ -761,7 +761,7 @@ static void cli_credentials_unconditionally_invalidate_client_gss_creds(struct c
cred->client_gss_creds_obtained = CRED_UNINITIALISED;
}
void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred,
void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred,
enum credentials_obtained obtained)
{
/* If the caller just changed the username/password etc, then
......@@ -794,7 +794,7 @@ static void cli_credentials_unconditionally_invalidate_ccache(struct cli_credent
cli_credentials_unconditionally_invalidate_client_gss_creds(cred);
}
_PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
_PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained)
{
/* If the caller just changed the username/password etc, then
......@@ -814,7 +814,7 @@ _PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
cred->ccache_threshold = obtained;
}
cli_credentials_invalidate_client_gss_creds(cred,
cli_credentials_invalidate_client_gss_creds(cred,
obtained);
}
......@@ -825,7 +825,7 @@ static int free_gssapi_creds(struct gssapi_creds_container *gcc)
return 0;
}
_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc,
......@@ -841,12 +841,12 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
#endif
krb5_enctype *etypes = NULL;
if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
bool expired = false;
OM_uint32 lifetime = 0;
gss_cred_usage_t usage = 0;
maj_stat = gss_inquire_cred(&min_stat, cred->client_gss_creds->creds,
maj_stat = gss_inquire_cred(&min_stat, cred->client_gss_creds->creds,
NULL, &lifetime, &usage, NULL);
if (maj_stat == GSS_S_CREDENTIALS_EXPIRED) {
DEBUG(3, ("Credentials for %s expired, must refresh credentials cache\n", cli_credentials_get_principal(cred, cred)));
......@@ -862,9 +862,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
if (expired) {
cli_credentials_unconditionally_invalidate_client_gss_creds(cred);
} else {
DEBUG(5, ("GSSAPI credentials for %s will expire in %u secs\n",
DEBUG(5, ("GSSAPI credentials for %s will expire in %u secs\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
*_gcc = cred->client_gss_creds;
return 0;
}
......@@ -945,7 +945,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
num_ktypes,
(int32_t *) etypes);
SAFE_FREE(etypes);
krb5_free_enctypes(ccache->smb_krb5_context->krb5_context,
etypes);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
......@@ -994,13 +995,13 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
This grabs the credentials both 'intact' and getting the krb5
ccache out of it. This routine can be generalised in future for
the case where we deal with GSSAPI mechs other than krb5.
the case where we deal with GSSAPI mechs other than krb5.
On sucess, the caller must not free gssapi_cred, as it now belongs
On success, the caller must not free gssapi_cred, as it now belongs
to the credentials system.
*/
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained,
......@@ -1047,8 +1048,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
if (ret == 0) {
gcc->creds = gssapi_cred;
talloc_set_destructor(gcc, free_gssapi_creds);
/* set the clinet_gss_creds_obtained here, as it just
/* set the clinet_gss_creds_obtained here, as it just
got set to UNINITIALISED by the calls above */
cred->client_gss_creds_obtained = obtained;
cred->client_gss_creds = gcc;
......@@ -1146,7 +1147,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ct
* attached to this context. If this hasn't been done or set before,
* it will be generated from the password.
*/
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc)
{
......@@ -1162,7 +1163,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
char *salt_principal = NULL;
uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
*_ktc = cred->keytab;
return 0;
......@@ -1237,7 +1238,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ret;
}
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
/* We make this keytab up based on a password. Therefore
......@@ -1255,7 +1256,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
/* Given the name of a keytab (presumably in the format
* FILE:/etc/krb5.keytab), open it and attach it */
_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained)
......@@ -1296,7 +1297,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
/* Get server gss credentials (in gsskrb5, this means the keytab) */
_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc)
{
......@@ -1375,7 +1376,7 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return ret;
}
/**
/**
* Set Kerberos KVNO
*/
......@@ -1395,12 +1396,12 @@ _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred)
}
const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
{
return cred->salt_principal;
}
_PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal)
_PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal)
{
talloc_free(cred->salt_principal);
cred->salt_principal = talloc_strdup(cred, principal);
......@@ -1475,7 +1476,9 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
int ret;
const char *password = NULL;
krb5_data cleartext_data;
krb5_data salt_data;
krb5_data salt_data = {
.length = 0,
};
krb5_keyblock key;
if (cred->password_will_be_nt_hash) {
......
/*
/*
Unix SMB/CIFS implementation.
User credentials handling
......@@ -6,17 +6,17 @@
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
......@@ -35,13 +35,13 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge,
const NTTIME *server_timestamp,
DATA_BLOB target_info,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key)
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key)
{
TALLOC_CTX *frame = talloc_stackframe();
const char *user = NULL;
......@@ -152,13 +152,13 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
/* TODO: if the remote server is standalone, then we should replace 'domain'
with the server name as supplied above */
if (!SMBNTLMv2encrypt_hash(frame,
user,
domain,
nt_hash->hash, &challenge,
user,
domain,
nt_hash->hash, &challenge,
server_timestamp, &target_info,
&lm_response, &nt_response,
&lm_response, &nt_response,
NULL, &session_key)) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
......@@ -263,7 +263,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
SMBsesskeygen_ntv1(nt_hash->hash, session_key.data);
dump_data_pw("NT session key:\n", session_key.data, session_key.length);
/* lanman auth is insecure, it may be disabled.
/* lanman auth is insecure, it may be disabled.
We may also not have a password */
if (password != NULL) {
......@@ -458,8 +458,13 @@ _PUBLIC_ void cli_credentials_set_password_will_be_nt_hash(struct cli_credential
cred->password_will_be_nt_hash = val;
}
_PUBLIC_ bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred)
{
return cred->password_will_be_nt_hash;
}
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained)
{
cred->password_will_be_nt_hash = false;
......