summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos.c
AgeCommit message (Collapse)AuthorFilesLines
2011-02-27s3: Fix some nonempty blank linesVolker Lendecke1-10/+9
2010-08-05s3-secrets: only include secrets.h when needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-52/+1
Guenther
2010-05-28s3-build: use ndr_misc.h where needed.Günther Deschner1-0/+1
Guenther
2010-05-18s3: Remove use of iconv_convenience.Jelmer Vernooij1-3/+2
2010-05-17s3-kerberos: temporary fix for ipv6 in print_kdc_line().Günther Deschner1-5/+20
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill in just the kdc_name if we have it and let the krb5 lib figure out the appropriate ipv6 address ipv6 gurus, please check. Guenther
2010-05-17s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain().Günther Deschner1-7/+12
Guenther
2010-01-30Fix bug #7079 - cliconnect gets realm wrong with trusted domains.Jeremy Allison1-0/+52
Passing NULL as dest_realm for cli_session_setup_spnego() was always using our own realm (as for a NetBIOS name). Change this to look for the mapped realm using krb5_get_host_realm() if the destination machine name is a DNS name (contains a '.'). Could get fancier with DNS name detection (length, etc.) but this will do for now. Jeremy.
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-11-06s3-kerberos: fix some build warnings when building against heimdal.Günther Deschner1-2/+2
Guenther
2009-08-26Add a parameter to disable the automatic creation of krb5.conf filesVolker Lendecke1-1/+6
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of transitive AD trusts. The workaround is to add a [capaths] directive to /etc/krb5.conf, which we don't automatically put into the krb5.conf winbind creates. The alternative would have been something like a "krb5 conf include", but I think if someone has to mess with /etc/krb5.conf at this level, it should be easy to add the site-local KDCs as well. Next alternative is to correctly figure out the [capaths] parameter for all trusted domains, but for that I don't have the time right now. Sorry :-)
2009-04-20Remove smb_mkstemp() - libreplace will now provide a secure mkstemp() ifJelmer Vernooij1-1/+1
the system one is broken.
2009-04-07s3:kerberos Rework smb_krb5_unparse_name() to take a talloc contextAndrew Bartlett1-4/+4
Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-20s3-krb5: Fix Coverity #762 (REVERSE_INULL).Günther Deschner1-6/+6
Guenther
2009-02-06s3: use pidl to pull a KRB5_EDATA_NTSTATUS.Günther Deschner1-36/+6
Guenther
2009-01-16s3:libads: use lock_path for creating paths to local krb5.conf filesMichael Adam1-2/+3
instead of manually doing an asprintf with lp_lockdir() Michael squash
2009-01-16s3:libads: give create_local_private_krb5_conf_for_domain() a common exit pointMichael Adam1-30/+20
Michael
2008-12-03s3: Change sockaddr util function names for consistencyTim Prouty1-3/+3
Also eliminates name conflicts with OneFS system libraries
2008-10-23Use sockaddr_storage only where we rely on the size, use sockaddrJelmer Vernooij1-4/+5
otherwise (to clarify we can also pass in structs smaller than sockaddr_storage, such as sockaddr_in).
2008-09-04kerberos: fix indent of enc type lines in generated krb5.conf files.Günther Deschner1-3/+3
Guenther (This used to be commit 18a26f08b6fab4119a1421a7ca59c32dde8bb8cb)
2008-06-24libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.Günther Deschner1-0/+6
Guenther (This used to be commit b5aaf5aa0f280f69e05b613271c96473a79b812e)
2008-05-27Memory leak fixes from Chere Zhou <czhou@isilon.com>.Jeremy Allison1-0/+4
Jeremy. (This used to be commit 201bcc8ed291b51be6f4508c6aa1cb17ce6dcbe3)
2008-05-19Fix some comments to match get_kdc_ip_string()'s behaviourroot1-1/+7
(This used to be commit 30956c784f58870ad552a3869d80f99872c31375)
2008-03-17Coverity fixesMarc VanHeyningen1-2/+4
(This used to be commit 3fc85d22590550f0539215d020e4411bf5b14363)
2008-03-08Fix Coverity ID 551Volker Lendecke1-0/+2
Correctly return if we can't create the temporary krb5.conf Jeremy, please check! (This used to be commit c2401811aa3d02a9e27969687b9ea035407000c3)
2008-02-25Fix some warningsVolker Lendecke1-7/+15
warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result (This used to be commit ad37b7b0aee265a3e4d8b7552610f4b9a105434d)
2008-01-28Restrict the enctypes in the generated krb5.conf files to Win2003 types.Gerald W. Carter1-4/+8
This fixes the failure observed on FC8 when joining a Windows 2008 RC1 domain. We currently do not handle user session keys correctly when the KDC uses AES in the ticket replies. (This used to be commit 8039a2518caae54bc876368c73ec493f3cd4eb73)
2008-01-16Tidy up code and debug for non-default krb5 IPv6 port.Jeremy Allison1-9/+15
Jeremy. (This used to be commit 79b7972de4c2a8c71e37642ddf7e5bbed53dd58a)
2008-01-16Fix IPv6 bug #5204, which caused krb5 DNS lookupsJeremy Allison1-13/+56
for a name '[<ipv6 addr>'. Jeremy. (This used to be commit f2aa921505e49f894bfed4e5e2f9fc01918b1bb0)
2008-01-14Print principal in debug statement in kerberos_kinit_password() as well.Günther Deschner1-1/+2
Guenther (This used to be commit 44d67e84625a2a1a93baecef0e418b48e982443b)
2007-12-17While 'data' is usually 0 terminated, nothing in the spec requires that. The ↵Simo Sorce1-1/+4
correct way is to copy only 'length' bytes. Simo. (This used to be commit 814c1b0e0034fb67c7718760dfcf913904f3e7fa)
2007-12-15Doh, fix typo in error exit.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 44918f39c0598eec681eb9e5c65452f04809c375)
2007-12-15Added patch originally by Andreas Schneider <anschneider@suse.de>Jeremy Allison1-0/+52
to cause us to behave like Vista when looking for remote machine principal. Modified by me. Jeremy. (This used to be commit d0e33840fb4cfc85990d3ee327428b0854a22722)
2007-11-20More pstring removal....Jeremy Allison1-9/+9
Jeremy. (This used to be commit 809f5ab4c595740b28425e1667e395a6058b76a8)
2007-10-24This is a large patch (sorry). Migrate from struct in_addrJeremy Allison1-13/+25
to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-12/+12
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25030: ip_srv_nonsite and count_nonsite are initialized in get_kdc_list() ↵Lars Müller1-2/+2
in any case. (This used to be commit 287604a1c7dc7dede4b278de92ad8233f597d0b6)
2007-10-10r24836: Initialize some uninitialized variables.Michael Adam1-3/+5
This prevents a segfault when get_kdc_ip_string() is called with sitename == NULL. Michael (This used to be commit 58d31e057b57bc69a96e63aabba9aa1da5418d83)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password ↵Jeremy Allison1-1/+2
data to krb5_prompter. Jeremy. (This used to be commit 232fc5d69d44404df13f6516864352f9a5721552)
2007-10-10r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and makeGünther Deschner1-3/+29
winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
2007-10-10r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the ↵Günther Deschner1-0/+121
NTSTATUS codes directly out of the krb5_error edata. Guenther (This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69)
2007-10-10r22663: Restructure kerberos_kinit_password_ext() error path.Günther Deschner1-53/+33
Guenther (This used to be commit 997ded4e3f0dc2199b9a66a9485c919c16fbabc6)
2007-10-10r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.James Peach1-1/+1
(This used to be commit 4f6c2826aa1ac240b02122a40fe9a1ccabaaaf27)
2007-10-10r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the differentJames Peach1-2/+2
calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention. (This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+5
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21238: Fix tab indent in self-written krb5.confs.Günther Deschner1-1/+1
Guenther (This used to be commit 4df582fa1049afe96bbee7e8cab93cfa82208ba3)
2007-10-10r21110: Fix kinit with Heimdal (Bug #4226).Günther Deschner1-13/+26
Guenther (This used to be commit ea38e1f8362d75e7ac058a7c4aa06f1ca92ec108)
2007-10-10r20860: Adding some small tweaks. When we have no sitename, there is no need toGünther Deschner1-11/+14
ask for the list of DCs twice. Guenther (This used to be commit a9baf27e1348dd6dadd7a2fafdf9c269087b80ac)