summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the differentJames Peach1-2/+2
calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention. (This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+5
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21238: Fix tab indent in self-written krb5.confs.Günther Deschner1-1/+1
Guenther (This used to be commit 4df582fa1049afe96bbee7e8cab93cfa82208ba3)
2007-10-10r21110: Fix kinit with Heimdal (Bug #4226).Günther Deschner1-13/+26
Guenther (This used to be commit ea38e1f8362d75e7ac058a7c4aa06f1ca92ec108)
2007-10-10r20860: Adding some small tweaks. When we have no sitename, there is no need toGünther Deschner1-11/+14
ask for the list of DCs twice. Guenther (This used to be commit a9baf27e1348dd6dadd7a2fafdf9c269087b80ac)
2007-10-10r20857: Silence gives assent :-). Checking in the fix forJeremy Allison1-14/+51
site support in a network where many DC's are down. I heard via Volker there is still a bug w.r.t the wrong site being chosen with trusted domains but we'll have to layer that fix on top of this. Gd - complain if this doesn't work for you. Jeremy. (This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
2007-10-10r18512: Add krb5conf file environment to debug statement.Günther Deschner1-2/+3
Guenther (This used to be commit 398f368c8a2df36d522583c733f7c22cac2f2059)
2007-10-10r18241: If replacing the krb5.conf, ensure it's readable.Jeremy Allison1-0/+10
Jeremy. (This used to be commit dfd93a30311ff0e57ef23ae1f1cb58d4019a3eee)
2007-10-10r18226: Ensure we only do this evil thing if it's our realm.Jeremy Allison1-2/+1
Jeremy. (This used to be commit 0a89b37b1a367470be410ae94b42c813c7dbefe6)
2007-10-10r18225: If we're going to overwrite krb5.conf, at leastJeremy Allison1-20/+42
be polite enough to make a backup. Jeremy. (This used to be commit c82aac594fd7262029f9c47c2998c9e6b0ffc739)
2007-10-10r18201: Make explicit what's going on here.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 38b8a2b5278d2538b9803c2b81f767036a16ad65)
2007-10-10r18200: Experimental code to allow system /etc/krb5.conf to beJeremy Allison1-42/+63
overwritten by winbindd. Don't enable this :-). Jeremy. (This used to be commit 88e11ee91a2e97c93f5d34313d45b1e38f793038)
2007-10-10r18010: Ensure we don't timeout twice to the sameJeremy Allison1-0/+3
server in winbindd when it's down and listed in the -ve connection cache. Fix memory leak, reduce timeout for cldap calls - minimum 3 secs. Jeremy. (This used to be commit 10b32cb6de234fa17fdd691bb294864d4d40f782)
2007-10-10r18006: Actually a smaller change than it looks. LeverageJeremy Allison1-2/+49
the get_dc_list code to get the _kerberos. names for site support. This way we don't depend on one KDC to do ticket refresh. Even though we know it's up when we add it, it may go down when we're trying to refresh. Jeremy. (This used to be commit 77fe2a3d7418012a8dbfb6aaeb2a8dd57c6e1a5d)
2007-10-10r18004: If you're writing out a krb5.conf, at leastJeremy Allison1-2/+2
get the syntax right... :-). Jeremy. (This used to be commit ecca467e463ef5c9acd48ee0a5f446755bd2f306)
2007-10-10r18003: Creating a directory and getting EEXIST isn't an error.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 515f86167bd9ec64170218f2ea4fb20d12a28365)
2007-10-10r18002: Improved debug.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 5f84c8c815ff0c941ef06d682dcc4be52e8867d2)
2007-10-10r18001: Proper error reporting on write/close fail.Jeremy Allison1-1/+7
Jeremy. (This used to be commit ba311ac4eac060c12cafeeb8e458f45c2927aabf)
2007-10-10r18000: Get nelem/size args right for x_fwrite.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f1c5409b9fa201c6d726857b02515167b0d7cef1)
2007-10-10r17999: No need to prevent others from reading. Use 755 insteadJeremy Allison1-2/+2
of 700, and 644 instead of 600. Reading might help debugging. Jeremy. (This used to be commit 99f100cfecb53e00d17f7426251a3d4022db791a)
2007-10-10r17997: Ensure lockdir exists for winbindd. Store tmpJeremy Allison1-1/+1
krb5.conf files under lockdir, not privatedir. Jeremy. (This used to be commit c59eff3e53f5bfae3a9fb136e8566628339863ad)
2007-10-10r17996: Don't talloc free the memory then reference it. Doh !Jeremy Allison1-3/+4
Jeremy. (This used to be commit 188eb9794df265e8a55602d46b6bb4bd7daffa7f)
2007-10-10r17995: Ensure we create the domain-specific krb5 files in aJeremy Allison1-8/+22
separate directory. Jeremy. (This used to be commit 541594153b3a29a4ca30f1897264f2cc715b0698)
2007-10-10r17994: Add debugs that showed me why my site code wasn'tJeremy Allison1-0/+3
working right. Don't update the server site when we have a client one... Jeremy. (This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
2007-10-10r17946: Fix couple of typos...Jeremy Allison1-1/+1
Jeremy. (This used to be commit 638d53e2ad524dfe4666b79d36997dea8a44c8cd)
2007-10-10r17945: Store the server and client sitenames in the ADSJeremy Allison1-1/+10
struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
2007-10-10r17944: Handle locking madness.Jeremy Allison1-11/+32
Jeremy. (This used to be commit 408267a2d725a0596be37b019fe4513502b2c0ec)
2007-10-10r17943: The horror, the horror. Add KDC site support byJeremy Allison1-0/+58
writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy. (This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
2007-10-10r17345: Some C++ warningsVolker Lendecke1-1/+2
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
2007-10-10r17003: Fix coverity #303 - possible null deref. Jerry pleaseJeremy Allison1-0/+1
check this is your new code. Jeremy. (This used to be commit 144067783d1c56b574911532f074bdaa7cea9c6e)
2007-10-10r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense ↵Gerald Carter1-5/+0
when fetching the DES salting principal (This used to be commit baf554c7934cbd591635196453c19d402358e073)
2007-10-10r16955: Fix an uninitialized var -- Jerry, please check.Volker Lendecke1-2/+2
(This used to be commit bf701f51294dacd0d4077b5304772c40119460eb)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-471/+100
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16272: Fix memleak.Günther Deschner1-1/+2
Guenther (This used to be commit afdb1189029e01a132f16fea48624126ec65cd77)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-2/+24
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-15/+13
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-10/+0
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-4/+20
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14512: Guenther, This code breaks winbind with MIT krb1.3.Gerald Carter1-2/+12
I'm disabling it for now until we have en effective means of dealing with the ticket request flags for users and computers. (This used to be commit 635f0c9c01c2e389ca916e9004e9ea064bf69cbb)
2007-10-10r14503: Fix principal in debug statement.Günther Deschner1-2/+1
Guenther (This used to be commit 7b1fcb75dadd5ff232d60f93206867cf13322f2e)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-9/+31
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11651: After talking to Jeremy, commit my winbindd "Do the Right Thing" patch.Gerald Carter1-1/+18
Still needs some more testing ni domains with multiple DCs. Coming next.... (This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
2007-10-10r11551: Add a few more initialize_krb5_error_tableVolker Lendecke1-0/+2
(This used to be commit d92c83aa42fe64a0e996094d1a983f0279c7c707)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-1/+1
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-2/+1
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6586: get rid of a few more compiler warningsHerb Lewis1-1/+1
(This used to be commit 173375f8d88bf8e8db8d60e5d5f0e5dcc28767d9)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+2
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4334: Fix for bugid #2186 - from Buck Huppmann <buckh@pobox.com>Jeremy Allison1-1/+2
to prevent uninitialized creds being freed. Jeremy. (This used to be commit c3f9c81a8fcb26f7110f75b3096d5d1eb30aac13)