r11995: A big kerberos-related update.

This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.

In particular, the credentials system now supplies GSS client and
server credentials.  These are imported into GSS with
gss_krb5_import_creds().  Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.

Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls.  Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.

To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass.  The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.

This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().

We can now (in theory) use a system-provided /etc/krb5.keytab, if

krb5Keytab: FILE:/etc/krb5.keytab

is added to the secrets.ldb record.  By default the attribute

privateKeytab: secrets.keytab

is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)

1 files changed, 14 insertions, 11 deletions

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 565c7478f9..6f6203a92c 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.177 2005/06/15 11:34:53 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.198 2005/11/28 20:33:57 lha Exp $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -666,8 +666,7 @@ _kdc_check_flags(krb5_context context,
 			     starttime_str, sizeof(starttime_str), TRUE); 
 	    kdc_log(context, config, 0,
 		    "Client not yet valid until %s -- %s", 
-		    starttime_str, 
-		    client_name);
+		    starttime_str, client_name);
 	    return KRB5KDC_ERR_CLIENT_NOTYET;
 	}
 	
@@ -676,7 +675,8 @@ _kdc_check_flags(krb5_context context,
 	    krb5_format_time(context, *client->valid_end, 
 			     endtime_str, sizeof(endtime_str), TRUE); 
 	    kdc_log(context, config, 0,
-		    "Client expired at %s -- %s", endtime_str, client_name);
+		    "Client expired at %s -- %s",
+		    endtime_str, client_name);
 	    return KRB5KDC_ERR_NAME_EXP;
 	}
 	
@@ -686,7 +686,8 @@ _kdc_check_flags(krb5_context context,
 	    krb5_format_time(context, *client->pw_end, 
 			     pwend_str, sizeof(pwend_str), TRUE); 
 	    kdc_log(context, config, 0,
-		    "Client's key has expired at %s -- %s", pwend_str, client_name);
+		    "Client's key has expired at %s -- %s", 
+		    pwend_str, client_name);
 	    return KRB5KDC_ERR_KEY_EXPIRED;
 	}
     }
@@ -717,7 +718,8 @@ _kdc_check_flags(krb5_context context,
 	    krb5_format_time(context, *server->valid_start, 
 			     starttime_str, sizeof(starttime_str), TRUE); 
 	    kdc_log(context, config, 0,
-		    "Server not yet valid until %s -- %s", server_name);
+		    "Server not yet valid until %s -- %s",
+		    starttime_str, server_name);
 	    return KRB5KDC_ERR_SERVICE_NOTYET;
 	}
 
@@ -1099,11 +1101,12 @@ _kdc_as_rep(krb5_context context,
 	pa->padata_value.data	= NULL;
 #endif
 
-	/* RFC4120 requires:
-            - If the client only knows about old enctypes, then send both info replies
-              (we send 'info' first in the list).
-            - If the client is 'modern', because it knows about 'new' enc types, then 
-              only send the 'info2' reply.
+	/* 
+	 * RFC4120 requires: 
+	 * - If the client only knows about old enctypes, then send
+	 *   both info replies (we send 'info' first in the list).
+	 * - If the client is 'modern', because it knows about 'new'
+	 *   enctype types, then only send the 'info2' reply.
 	*/
 	/* XXX check ret */
 	if (only_older_enctype_p(req))