s3:auth: Let windbind parse minimal MIT KRB5 PACs

s3:auth: Remove trailing spaces

libwbclient: Set auth_info to NULL for validation_level 0

If we deal with a minimal PAC, we don't have a validation_level and
should just set the pointer to NULL.

s3:winbind: Don't try to append_data without validation_data

If we have a minimal PAC there is nothing to append.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>

s3:winbind: Verify minimal PACs with logon_name

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>

auth:kerberos: Allow to decode PACs without a logon info

MIT Kerberos 1.21 and newer always provide a minimal PAC. If we get such
a PAC we should validate it, especially the checksums.

FIX

testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh sq s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp

testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh better names

sq lib/addns/dnsgss.c GENSEC_UPDATE_IS_NTERROR

auth/ntlmssp/ntlmssp_util.c ntlmssp_hash_channel_bindings GNUTLS_FIPS140_SET_LAX_MODE

sq source3/utils/net_rpc.c !c->explicit_credentials => NET_FLAGS_ANONYMOUS

source3/utils/net.c cli_credentials_get_principal_obtained => c->explicit_credentials

auth/credentials: add cli_credentials_get_principal_obtained()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

auth/credentials: add cli_credentials_get_username_obtained()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python/samba/tests/ntlm_auth.py fix test_ntlmssp_gss_spnego_cached_creds

move ads_simple_creds up

sq remove ads_legacy_creds source3/libads/ads_proto.h

sq ads_connect_simple_anon

sq ads_connect_cldap_only

remove ads_connect_no_bind

no ADS_AUTH_CLDAP_ONLY

split cldap_only

still ok

fix ADS_AUTH_GENERATE_KRB5_CONFIG recursion

still ok

still ok

still ok

still ok

sq sq s3:net_ads: make use of ads_connect_creds() in ads_startup_int() AND ads_connect_no_bind OK!

sq ads_connect_creds => ads_connect_internal

sq ads_connect_creds ADS_AUTH_NO_BIND no asserted creds OK!

sq s3:net_ads: make use of ads_connect_creds() in ads_startup_int()

sq ads_connect_machine ok?

sq ads_connect_anon() ok?

sq ADS_AUTH_GENERATE_KRB5_CONFIG ok?

works net_offline

Revert "sq ADS_AUTH_GENERATE_KRB5_CONFIG"

This reverts commit f3ea4a5ffe4f0adaa40e1bbdb6b5b4e7657f4d09.

Revert "sq ads_connect_anon"

This reverts commit 9ce6bdc773e1eaeb8983a6a5917a33f13dd6f3c6.

Revert "SQ??? ads_connect_creds allow NO/ANON_BIND upgrades"

This reverts commit 18064b62abe554ce08fd0e0ceed4cb0ff9a04a3e.

Revert "sq ads_connect_anon"

This reverts commit 8c81208038c88e7520d5a412b2bb89314405893a.

Revert "sq ads_connect_no_bind"

This reverts commit 080a38b93460e7930464ced893a5736cd2555a1a.

Revert "sq ads_connect_machine"

This reverts commit 232539c59ebf72d5671e13da0b340588bc7043b9.

sq ads_connect_machine

sq ads_connect_no_bind

sq ads_connect_anon

SQ??? ads_connect_creds allow NO/ANON_BIND upgrades

sq ads_connect_anon

sq ADS_AUTH_GENERATE_KRB5_CONFIG

SPLIT require explicit ccache

SPLIT??? kerberos_set_password ads_krb5_set_password no implicit ccache

s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

HEIMDAL: lib/gssapi/krb5: don't ignore _gsskrb5_decapsulate() result in init_sec_context responses

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603

Signed-off-by: Stefan Metzmacher <metze@samba.org>

DoDNSUpdateNegotiateGensec GENSEC_FEATURE_SIGN why crash???

blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: finally remove net_context->opt_{user_specified,user_name,password}

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions

This is better than the value from cli_credentials_get_username()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: remove useless net_prompt_pass() wrapper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: make use of c->explicit_credentials in order to check for valid credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: add net_context->explicit_credentials to check if credentials were passed

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: remove unused net_context->smb_encrypt

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net: remove unused net_context->opt_kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_rpc: make use of cli_credentials_is_anonymous(c->creds) for NET_FLAGS_ANONYMOUS

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials

c->opt_kerberos is derived from c->creds...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:include: remove unused krb5_env.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: remove unused LIBADS_CCACHE_NAME define

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: finally remove unused ads_connect[_user_creds]() and related code

That was a long way, but now we're cli_credentials/gensec only :-)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: check ADS_AUTH_ANON_BIND against !cli_credentials_is_anonymous()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: no longer set KRB5CCNAME in net_update_dns_internal()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi

This means we can sanely use cli_credentials and no longer
require setting KRB5CCNAME to get the correct credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: pass cli_credentials to DoDNSUpdate()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: remove unused ads_kinit_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: use pdb_get_trust_credentials/ads_connect_creds before do dns updates

We don't use ads_connect_machine() because we use creds also for the
dns updates. For now we just export the temporary ccache arround
the dns updates, but the low level code will be changed from
raw gssapi to gensec soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: make use of ads_connect_creds() in ads_startup_int()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: make use of ads_connect_no_bind() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()

We don't need a real ldap connection here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf

That's better then using !ADS_AUTH_NO_BIND, not
ADS_AUTH_NO_BIND implies ADS_AUTH_ANON_BIND...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: make use of ads_connect_no_bind() in dcip_check_name_ads()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:net_ads: make use of ads_connect_no_bind() in net_ads_check_int()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libsmb: make use of ads_connect_no_bind()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:lib/netapi: add libnetapi_get_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

libgpo/pygpo: make use of ads_connect_{creds,machine}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:printing: make use of ads_connect_machine()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: make use of samba_sockaddr to avoid compiler warnings

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: make winbindd_get_trust_credentials() public

We'll use it outside of winbindd_cm.c soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds

This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: make use of ads_connect_anon() in ldap.c where possible

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add ads_connect_no_bind() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add ads_connect_machine() helper

s3:libads: add ads_connect_anon() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add ads_simple_creds() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp

The gensec layer does kinit if needed...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: split out ads_connect_creds() and call it with ads_legacy_creds()

s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()

We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end

In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().

Signed-off-by: Stefan Metzmacher <metze@samba.org>