summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-24This is a large patch (sorry). Migrate from struct in_addrJeremy Allison1-13/+25
to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-12/+12
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25030: ip_srv_nonsite and count_nonsite are initialized in get_kdc_list() ↵Lars Müller1-2/+2
in any case. (This used to be commit 287604a1c7dc7dede4b278de92ad8233f597d0b6)
2007-10-10r24836: Initialize some uninitialized variables.Michael Adam1-3/+5
This prevents a segfault when get_kdc_ip_string() is called with sitename == NULL. Michael (This used to be commit 58d31e057b57bc69a96e63aabba9aa1da5418d83)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password ↵Jeremy Allison1-1/+2
data to krb5_prompter. Jeremy. (This used to be commit 232fc5d69d44404df13f6516864352f9a5721552)
2007-10-10r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and makeGünther Deschner1-3/+29
winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
2007-10-10r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the ↵Günther Deschner1-0/+121
NTSTATUS codes directly out of the krb5_error edata. Guenther (This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69)
2007-10-10r22663: Restructure kerberos_kinit_password_ext() error path.Günther Deschner1-53/+33
Guenther (This used to be commit 997ded4e3f0dc2199b9a66a9485c919c16fbabc6)
2007-10-10r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.James Peach1-1/+1
(This used to be commit 4f6c2826aa1ac240b02122a40fe9a1ccabaaaf27)
2007-10-10r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the differentJames Peach1-2/+2
calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention. (This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+5
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21238: Fix tab indent in self-written krb5.confs.Günther Deschner1-1/+1
Guenther (This used to be commit 4df582fa1049afe96bbee7e8cab93cfa82208ba3)
2007-10-10r21110: Fix kinit with Heimdal (Bug #4226).Günther Deschner1-13/+26
Guenther (This used to be commit ea38e1f8362d75e7ac058a7c4aa06f1ca92ec108)
2007-10-10r20860: Adding some small tweaks. When we have no sitename, there is no need toGünther Deschner1-11/+14
ask for the list of DCs twice. Guenther (This used to be commit a9baf27e1348dd6dadd7a2fafdf9c269087b80ac)
2007-10-10r20857: Silence gives assent :-). Checking in the fix forJeremy Allison1-14/+51
site support in a network where many DC's are down. I heard via Volker there is still a bug w.r.t the wrong site being chosen with trusted domains but we'll have to layer that fix on top of this. Gd - complain if this doesn't work for you. Jeremy. (This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
2007-10-10r18512: Add krb5conf file environment to debug statement.Günther Deschner1-2/+3
Guenther (This used to be commit 398f368c8a2df36d522583c733f7c22cac2f2059)
2007-10-10r18241: If replacing the krb5.conf, ensure it's readable.Jeremy Allison1-0/+10
Jeremy. (This used to be commit dfd93a30311ff0e57ef23ae1f1cb58d4019a3eee)
2007-10-10r18226: Ensure we only do this evil thing if it's our realm.Jeremy Allison1-2/+1
Jeremy. (This used to be commit 0a89b37b1a367470be410ae94b42c813c7dbefe6)
2007-10-10r18225: If we're going to overwrite krb5.conf, at leastJeremy Allison1-20/+42
be polite enough to make a backup. Jeremy. (This used to be commit c82aac594fd7262029f9c47c2998c9e6b0ffc739)
2007-10-10r18201: Make explicit what's going on here.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 38b8a2b5278d2538b9803c2b81f767036a16ad65)
2007-10-10r18200: Experimental code to allow system /etc/krb5.conf to beJeremy Allison1-42/+63
overwritten by winbindd. Don't enable this :-). Jeremy. (This used to be commit 88e11ee91a2e97c93f5d34313d45b1e38f793038)
2007-10-10r18010: Ensure we don't timeout twice to the sameJeremy Allison1-0/+3
server in winbindd when it's down and listed in the -ve connection cache. Fix memory leak, reduce timeout for cldap calls - minimum 3 secs. Jeremy. (This used to be commit 10b32cb6de234fa17fdd691bb294864d4d40f782)
2007-10-10r18006: Actually a smaller change than it looks. LeverageJeremy Allison1-2/+49
the get_dc_list code to get the _kerberos. names for site support. This way we don't depend on one KDC to do ticket refresh. Even though we know it's up when we add it, it may go down when we're trying to refresh. Jeremy. (This used to be commit 77fe2a3d7418012a8dbfb6aaeb2a8dd57c6e1a5d)
2007-10-10r18004: If you're writing out a krb5.conf, at leastJeremy Allison1-2/+2
get the syntax right... :-). Jeremy. (This used to be commit ecca467e463ef5c9acd48ee0a5f446755bd2f306)
2007-10-10r18003: Creating a directory and getting EEXIST isn't an error.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 515f86167bd9ec64170218f2ea4fb20d12a28365)
2007-10-10r18002: Improved debug.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 5f84c8c815ff0c941ef06d682dcc4be52e8867d2)
2007-10-10r18001: Proper error reporting on write/close fail.Jeremy Allison1-1/+7
Jeremy. (This used to be commit ba311ac4eac060c12cafeeb8e458f45c2927aabf)
2007-10-10r18000: Get nelem/size args right for x_fwrite.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f1c5409b9fa201c6d726857b02515167b0d7cef1)
2007-10-10r17999: No need to prevent others from reading. Use 755 insteadJeremy Allison1-2/+2
of 700, and 644 instead of 600. Reading might help debugging. Jeremy. (This used to be commit 99f100cfecb53e00d17f7426251a3d4022db791a)
2007-10-10r17997: Ensure lockdir exists for winbindd. Store tmpJeremy Allison1-1/+1
krb5.conf files under lockdir, not privatedir. Jeremy. (This used to be commit c59eff3e53f5bfae3a9fb136e8566628339863ad)
2007-10-10r17996: Don't talloc free the memory then reference it. Doh !Jeremy Allison1-3/+4
Jeremy. (This used to be commit 188eb9794df265e8a55602d46b6bb4bd7daffa7f)
2007-10-10r17995: Ensure we create the domain-specific krb5 files in aJeremy Allison1-8/+22
separate directory. Jeremy. (This used to be commit 541594153b3a29a4ca30f1897264f2cc715b0698)
2007-10-10r17994: Add debugs that showed me why my site code wasn'tJeremy Allison1-0/+3
working right. Don't update the server site when we have a client one... Jeremy. (This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
2007-10-10r17946: Fix couple of typos...Jeremy Allison1-1/+1
Jeremy. (This used to be commit 638d53e2ad524dfe4666b79d36997dea8a44c8cd)
2007-10-10r17945: Store the server and client sitenames in the ADSJeremy Allison1-1/+10
struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
2007-10-10r17944: Handle locking madness.Jeremy Allison1-11/+32
Jeremy. (This used to be commit 408267a2d725a0596be37b019fe4513502b2c0ec)
2007-10-10r17943: The horror, the horror. Add KDC site support byJeremy Allison1-0/+58
writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy. (This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
2007-10-10r17345: Some C++ warningsVolker Lendecke1-1/+2
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
2007-10-10r17003: Fix coverity #303 - possible null deref. Jerry pleaseJeremy Allison1-0/+1
check this is your new code. Jeremy. (This used to be commit 144067783d1c56b574911532f074bdaa7cea9c6e)
2007-10-10r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense ↵Gerald Carter1-5/+0
when fetching the DES salting principal (This used to be commit baf554c7934cbd591635196453c19d402358e073)
2007-10-10r16955: Fix an uninitialized var -- Jerry, please check.Volker Lendecke1-2/+2
(This used to be commit bf701f51294dacd0d4077b5304772c40119460eb)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-471/+100
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16272: Fix memleak.Günther Deschner1-1/+2
Guenther (This used to be commit afdb1189029e01a132f16fea48624126ec65cd77)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-2/+24
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-15/+13
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-10/+0
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-4/+20
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14512: Guenther, This code breaks winbind with MIT krb1.3.Gerald Carter1-2/+12
I'm disabling it for now until we have en effective means of dealing with the ticket request flags for users and computers. (This used to be commit 635f0c9c01c2e389ca916e9004e9ea064bf69cbb)