Stefan Metzmacher [Thu, 14 Apr 2022 10:48:54 +0000 (12:48 +0200)]
TODO: docs-xml/smbdotconf/security/clientusedefaultkrb5ccache.xml
Stefan Metzmacher [Wed, 16 Mar 2022 11:30:39 +0000 (12:30 +0100)]
source3/script/tests/test_smbclient_krb5.sh STEP3
Stefan Metzmacher [Wed, 16 Mar 2022 11:30:28 +0000 (12:30 +0100)]
source3/script/tests/test_smbclient_krb5.sh STEP2
Stefan Metzmacher [Wed, 16 Mar 2022 11:29:58 +0000 (12:29 +0100)]
source3/script/tests/test_smbclient_krb5.sh STEP 1
Stefan Metzmacher [Fri, 8 Mar 2024 12:20:19 +0000 (13:20 +0100)]
HACK testprogs/blackbox/test_kinit.sh force fail
Stefan Metzmacher [Fri, 8 Mar 2024 12:03:05 +0000 (13:03 +0100)]
testprogs/blackbox/test_kinit.sh also test --use-default-krb5-ccache
Stefan Metzmacher [Sat, 9 Mar 2024 10:05:16 +0000 (11:05 +0100)]
sq docs-xml/build/DTD/samba.entities
Stefan Metzmacher [Wed, 16 Mar 2022 13:08:11 +0000 (14:08 +0100)]
sq fix python/samba/getopt.py
Stefan Metzmacher [Wed, 16 Mar 2022 13:08:11 +0000 (14:08 +0100)]
fix python/samba/getopt.py
Stefan Metzmacher [Wed, 16 Mar 2022 10:39:56 +0000 (11:39 +0100)]
TODO-SPLIT add --use-default-krb5-ccache to select the default ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:59:09 +0000 (14:59 +0100)]
Revert "lib/cmdline/cmdline.c --use-krb5-ccache= needs to export KRB5CCNAME"
This reverts commit
e8d407360d1ac2cf835c6321bb94e55c4a5bb150.
Stefan Metzmacher [Wed, 16 Mar 2022 11:42:56 +0000 (12:42 +0100)]
lib/cmdline/cmdline.c --use-krb5-ccache= needs to export KRB5CCNAME
Stefan Metzmacher [Wed, 13 Mar 2024 15:54:45 +0000 (16:54 +0100)]
testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh sq s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
Stefan Metzmacher [Wed, 13 Mar 2024 15:53:44 +0000 (16:53 +0100)]
testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh better names
Stefan Metzmacher [Wed, 13 Mar 2024 14:41:00 +0000 (15:41 +0100)]
sq lib/addns/dnsgss.c GENSEC_UPDATE_IS_NTERROR
Stefan Metzmacher [Wed, 13 Mar 2024 16:56:56 +0000 (17:56 +0100)]
sq source3/utils/net_rpc.c !c->explicit_credentials => NET_FLAGS_ANONYMOUS
Stefan Metzmacher [Wed, 13 Mar 2024 16:56:33 +0000 (17:56 +0100)]
source3/utils/net.c cli_credentials_get_principal_obtained => c->explicit_credentials
Stefan Metzmacher [Wed, 13 Mar 2024 09:49:55 +0000 (10:49 +0100)]
python/samba/tests/ntlm_auth.py fix test_ntlmssp_gss_spnego_cached_creds
Stefan Metzmacher [Wed, 13 Mar 2024 09:16:36 +0000 (10:16 +0100)]
move ads_simple_creds up
Stefan Metzmacher [Wed, 13 Mar 2024 09:15:29 +0000 (10:15 +0100)]
sq remove ads_legacy_creds source3/libads/ads_proto.h
Stefan Metzmacher [Wed, 13 Mar 2024 08:27:13 +0000 (09:27 +0100)]
sq ads_connect_simple_anon
Stefan Metzmacher [Wed, 13 Mar 2024 08:26:11 +0000 (09:26 +0100)]
sq ads_connect_cldap_only
Stefan Metzmacher [Wed, 13 Mar 2024 08:25:03 +0000 (09:25 +0100)]
remove ads_connect_no_bind
Stefan Metzmacher [Wed, 13 Mar 2024 08:24:18 +0000 (09:24 +0100)]
no ADS_AUTH_CLDAP_ONLY
Stefan Metzmacher [Wed, 13 Mar 2024 08:23:04 +0000 (09:23 +0100)]
split cldap_only
Stefan Metzmacher [Wed, 13 Mar 2024 08:13:44 +0000 (09:13 +0100)]
still ok
Stefan Metzmacher [Wed, 13 Mar 2024 08:09:33 +0000 (09:09 +0100)]
fix ADS_AUTH_GENERATE_KRB5_CONFIG recursion
Stefan Metzmacher [Tue, 12 Mar 2024 14:17:26 +0000 (15:17 +0100)]
still ok
Stefan Metzmacher [Tue, 12 Mar 2024 14:13:33 +0000 (15:13 +0100)]
still ok
Stefan Metzmacher [Tue, 12 Mar 2024 14:11:08 +0000 (15:11 +0100)]
still ok
Stefan Metzmacher [Tue, 12 Mar 2024 14:09:37 +0000 (15:09 +0100)]
still ok
Stefan Metzmacher [Tue, 12 Mar 2024 13:55:54 +0000 (14:55 +0100)]
sq sq s3:net_ads: make use of ads_connect_creds() in ads_startup_int() AND ads_connect_no_bind OK!
Stefan Metzmacher [Tue, 12 Mar 2024 13:45:57 +0000 (14:45 +0100)]
sq ads_connect_creds => ads_connect_internal
Stefan Metzmacher [Tue, 12 Mar 2024 13:22:14 +0000 (14:22 +0100)]
sq ads_connect_creds ADS_AUTH_NO_BIND no asserted creds OK!
Stefan Metzmacher [Tue, 12 Mar 2024 13:16:37 +0000 (14:16 +0100)]
sq s3:net_ads: make use of ads_connect_creds() in ads_startup_int()
Stefan Metzmacher [Tue, 12 Mar 2024 13:11:31 +0000 (14:11 +0100)]
sq ads_connect_machine ok?
Stefan Metzmacher [Tue, 12 Mar 2024 13:10:01 +0000 (14:10 +0100)]
sq ads_connect_anon() ok?
Stefan Metzmacher [Tue, 12 Mar 2024 12:59:06 +0000 (13:59 +0100)]
sq ADS_AUTH_GENERATE_KRB5_CONFIG ok?
Stefan Metzmacher [Tue, 12 Mar 2024 12:57:52 +0000 (13:57 +0100)]
works net_offline
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "sq ADS_AUTH_GENERATE_KRB5_CONFIG"
This reverts commit
f3ea4a5ffe4f0adaa40e1bbdb6b5b4e7657f4d09.
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "sq ads_connect_anon"
This reverts commit
9ce6bdc773e1eaeb8983a6a5917a33f13dd6f3c6.
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "SQ??? ads_connect_creds allow NO/ANON_BIND upgrades"
This reverts commit
18064b62abe554ce08fd0e0ceed4cb0ff9a04a3e.
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "sq ads_connect_anon"
This reverts commit
8c81208038c88e7520d5a412b2bb89314405893a.
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "sq ads_connect_no_bind"
This reverts commit
080a38b93460e7930464ced893a5736cd2555a1a.
Stefan Metzmacher [Tue, 12 Mar 2024 12:50:15 +0000 (13:50 +0100)]
Revert "sq ads_connect_machine"
This reverts commit
232539c59ebf72d5671e13da0b340588bc7043b9.
Stefan Metzmacher [Tue, 12 Mar 2024 12:46:02 +0000 (13:46 +0100)]
sq ads_connect_machine
Stefan Metzmacher [Tue, 12 Mar 2024 12:45:48 +0000 (13:45 +0100)]
sq ads_connect_no_bind
Stefan Metzmacher [Tue, 12 Mar 2024 12:45:35 +0000 (13:45 +0100)]
sq ads_connect_anon
Stefan Metzmacher [Tue, 12 Mar 2024 12:45:03 +0000 (13:45 +0100)]
SQ??? ads_connect_creds allow NO/ANON_BIND upgrades
Stefan Metzmacher [Tue, 12 Mar 2024 12:21:32 +0000 (13:21 +0100)]
sq ads_connect_anon
Stefan Metzmacher [Tue, 12 Mar 2024 12:21:10 +0000 (13:21 +0100)]
sq ADS_AUTH_GENERATE_KRB5_CONFIG
Stefan Metzmacher [Mon, 11 Mar 2024 16:46:45 +0000 (17:46 +0100)]
SPLIT require explicit ccache
Stefan Metzmacher [Mon, 11 Mar 2024 16:45:43 +0000 (17:45 +0100)]
SPLIT??? kerberos_set_password ads_krb5_set_password no implicit ccache
Stefan Metzmacher [Tue, 12 Mar 2024 10:51:25 +0000 (11:51 +0100)]
s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 9 Mar 2024 10:04:59 +0000 (11:04 +0100)]
DoDNSUpdateNegotiateGensec GENSEC_FEATURE_SIGN why crash???
Stefan Metzmacher [Fri, 8 Mar 2024 11:57:06 +0000 (12:57 +0100)]
blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:56:45 +0000 (14:56 +0100)]
s3:net: finally remove net_context->opt_{user_specified,user_name,password}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:55:09 +0000 (14:55 +0100)]
s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions
This is better than the value from cli_credentials_get_username()...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:54:18 +0000 (14:54 +0100)]
s3:net: remove useless net_prompt_pass() wrapper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:47:06 +0000 (14:47 +0100)]
s3:net: make use of c->explicit_credentials in order to check for valid credentials
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 13:40:10 +0000 (14:40 +0100)]
s3:net: add net_context->explicit_credentials to check if credentials were passed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:50:39 +0000 (13:50 +0100)]
s3:net: remove unused net_context->smb_encrypt
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:50:39 +0000 (13:50 +0100)]
s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:44:53 +0000 (13:44 +0100)]
s3:net: remove unused net_context->opt_kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:43:13 +0000 (13:43 +0100)]
s3:net_rpc: make use of cli_credentials_is_anonymous(c->creds) for NET_FLAGS_ANONYMOUS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:41:51 +0000 (13:41 +0100)]
s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials
c->opt_kerberos is derived from c->creds...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:27:06 +0000 (13:27 +0100)]
s3:include: remove unused krb5_env.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 28 Feb 2024 16:31:23 +0000 (17:31 +0100)]
s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:55:14 +0000 (17:55 +0100)]
s3:libads: finally remove unused ads_connect[_user_creds]() and related code
That was a long way, but now we're cli_credentials/gensec only :-)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 08:58:47 +0000 (09:58 +0100)]
s3:libads: check ADS_AUTH_ANON_BIND against !cli_credentials_is_anonymous()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 11:08:00 +0000 (12:08 +0100)]
s3:net_ads: no longer set KRB5CCNAME in net_update_dns_internal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 11:03:05 +0000 (12:03 +0100)]
lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi
This means we can sanely use cli_credentials and no longer
require setting KRB5CCNAME to get the correct credentials.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 09:13:08 +0000 (10:13 +0100)]
s3:net_ads: pass cli_credentials to DoDNSUpdate()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:52:28 +0000 (14:52 +0100)]
s3:libads: remove unused ads_kinit_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:09:51 +0000 (14:09 +0100)]
s3:net_ads: use pdb_get_trust_credentials/ads_connect_creds before do dns updates
We don't use ads_connect_machine() because we use creds also for the
dns updates. For now we just export the temporary ccache arround
the dns updates, but the low level code will be changed from
raw gssapi to gensec soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 15:59:00 +0000 (17:59 +0200)]
s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:07:05 +0000 (14:07 +0100)]
s3:net_ads: make use of ads_connect_creds() in ads_startup_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:08:55 +0000 (14:08 +0100)]
s3:net_ads: make use of ads_connect_no_bind() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
We don't need a real ldap connection here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 08:56:00 +0000 (09:56 +0100)]
s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
That's better then using !ADS_AUTH_NO_BIND, not
ADS_AUTH_NO_BIND implies ADS_AUTH_ANON_BIND...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:48:34 +0000 (17:48 +0100)]
s3:winbindd: make use of ads_connect_no_bind() in dcip_check_name_ads()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:47:37 +0000 (17:47 +0100)]
s3:net_ads: make use of ads_connect_no_bind() in net_ads_check_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:46:10 +0000 (17:46 +0100)]
s3:libsmb: make use of ads_connect_no_bind()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:40:48 +0000 (17:40 +0100)]
s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:38:25 +0000 (17:38 +0100)]
s3:lib/netapi: add libnetapi_get_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:21:02 +0000 (17:21 +0100)]
libgpo/pygpo: make use of ads_connect_{creds,machine}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:58:27 +0000 (18:58 +0200)]
s3:printing: make use of ads_connect_machine()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:59:09 +0000 (09:59 +0100)]
s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:53:04 +0000 (09:53 +0100)]
s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:44:54 +0000 (09:44 +0100)]
s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:44:19 +0000 (09:44 +0100)]
s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:23:17 +0000 (09:23 +0100)]
s3:winbindd: make winbindd_get_trust_credentials() public
We'll use it outside of winbindd_cm.c soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 09:13:11 +0000 (10:13 +0100)]
s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:43:00 +0000 (18:43 +0200)]
s3:libads: make use of ads_connect_anon() in ldap.c where possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:45:35 +0000 (17:45 +0100)]
s3:libads: add ads_connect_no_bind() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:53:03 +0000 (18:53 +0200)]
s3:libads: add ads_connect_machine() helper
Stefan Metzmacher [Thu, 28 Apr 2022 16:38:17 +0000 (18:38 +0200)]
s3:libads: add ads_connect_anon() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 15:51:57 +0000 (17:51 +0200)]
s3:libads: add ads_simple_creds() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:50:31 +0000 (14:50 +0100)]
s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
The gensec layer does kinit if needed...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 11:11:26 +0000 (13:11 +0200)]
s3:libads: split out ads_connect_creds() and call it with ads_legacy_creds()
Stefan Metzmacher [Wed, 27 Apr 2022 10:45:04 +0000 (12:45 +0200)]
s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>