summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17003: Fix coverity #303 - possible null deref. Jerry pleaseJeremy Allison1-0/+1
check this is your new code. Jeremy. (This used to be commit 144067783d1c56b574911532f074bdaa7cea9c6e)
2007-10-10r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense ↵Gerald Carter1-5/+0
when fetching the DES salting principal (This used to be commit baf554c7934cbd591635196453c19d402358e073)
2007-10-10r16955: Fix an uninitialized var -- Jerry, please check.Volker Lendecke1-2/+2
(This used to be commit bf701f51294dacd0d4077b5304772c40119460eb)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-471/+100
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16272: Fix memleak.Günther Deschner1-1/+2
Guenther (This used to be commit afdb1189029e01a132f16fea48624126ec65cd77)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-2/+24
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-15/+13
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-10/+0
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-4/+20
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14512: Guenther, This code breaks winbind with MIT krb1.3.Gerald Carter1-2/+12
I'm disabling it for now until we have en effective means of dealing with the ticket request flags for users and computers. (This used to be commit 635f0c9c01c2e389ca916e9004e9ea064bf69cbb)
2007-10-10r14503: Fix principal in debug statement.Günther Deschner1-2/+1
Guenther (This used to be commit 7b1fcb75dadd5ff232d60f93206867cf13322f2e)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-9/+31
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11651: After talking to Jeremy, commit my winbindd "Do the Right Thing" patch.Gerald Carter1-1/+18
Still needs some more testing ni domains with multiple DCs. Coming next.... (This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
2007-10-10r11551: Add a few more initialize_krb5_error_tableVolker Lendecke1-0/+2
(This used to be commit d92c83aa42fe64a0e996094d1a983f0279c7c707)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-1/+1
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-2/+1
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6586: get rid of a few more compiler warningsHerb Lewis1-1/+1
(This used to be commit 173375f8d88bf8e8db8d60e5d5f0e5dcc28767d9)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+2
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4334: Fix for bugid #2186 - from Buck Huppmann <buckh@pobox.com>Jeremy Allison1-1/+2
to prevent uninitialized creds being freed. Jeremy. (This used to be commit c3f9c81a8fcb26f7110f75b3096d5d1eb30aac13)
2007-10-10r3495: Fix the build (recent kerberos-changes).Günther Deschner1-2/+4
Guenther (This used to be commit c7eab285d967345510a15e83bce508edb8e06e99)
2007-10-10r3492: Fixes from testing kerberos salted principal fix.Jeremy Allison1-23/+51
Jeremy. (This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)
2007-10-10r3439: Finally fix build for platforms without kerberos.Günther Deschner1-2/+2
Guenther (This used to be commit 05619cfdbf814e5c79e65934b82424eca00c76c4)
2007-10-10r3379: More merging of kerberos keytab and salting fixes from Nalin ↵Jeremy Allison1-0/+15
Dahyabhai <nalin@redhat.com> (bugid #1717). Jeremy. (This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019)
2007-10-10r3377: Merge in first part of modified patch from Nalin Dahyabhai ↵Jeremy Allison1-7/+548
<nalin@redhat.com> for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
2007-10-10r1967: Fix a couple of krb5-DEBUG-messages.Günther Deschner1-4/+6
Guenther (This used to be commit 86a61c86a49a7e4d67e61201458c9b0229fb0825)
2007-10-10r1245: I think the parameter for "password" and "data" was reversed.Jeremy Allison1-2/+2
CHECK THIS ! Jeremy. (This used to be commit d4abeefe3e307ff226fba481ca2c743cde153e4b)
2007-10-10r541: fixing segfault in winbindd caused -r527 -- looks like a bug in ↵Gerald Carter1-4/+4
heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
2004-03-24Fix bugzilla # 1208Jim McDonough1-2/+37
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2002-10-24Merge tridge's blank password fix from HEAD.Jeremy Allison1-2/+6
Jeremy. (This used to be commit eadfd312ba92a780f655cf117c44b30457f007e8)
2002-10-01Updates from Samba HEAD:Andrew Bartlett1-1/+8
- Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-2/+6
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-10/+2
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-130/+25
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-20net ads password and net ads chostpass commands from Remus KoosAndrew Tridgell1-8/+5
(This used to be commit 412e79c448bf02e3097b5c14a36fe0172d8d2895)
2001-12-13better error handlingAndrew Tridgell1-2/+7
(This used to be commit ed6279481bfcb21212e9c22009969c19ea4f1646)
2001-12-11allow overriding the local time in kerberos_kinit_password()Andrew Tridgell1-2/+8
(This used to be commit cb9dbcef7cba9eb42f7b30b81c35142dc945d84f)
2001-12-10moved ccache location change into winbindd codeAndrew Tridgell1-8/+0
(This used to be commit be254eb13c4bf316823ed43db3ef9407f45ca23b)
2001-12-09fixed used of string after freeAndrew Tridgell1-1/+1
(This used to be commit f7ead035ebe55e94cdd5807b173bd4612866b06f)
2001-12-08added internal sasl/gssapi code. This means we are no longer dependent on ↵Andrew Tridgell1-7/+17
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm (This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
2001-12-06put the winbindd krb5 credentials cache in the lock directoryAndrew Tridgell1-0/+4
this prevents it clobbering the users cache (This used to be commit 3de552f365373de85298dbe911143e036805f9ea)
2001-12-06added a propoer kerberos_kinit_password callAndrew Tridgell1-11/+65
contribution from remus@snapserver.com thanks! (This used to be commit 3ace8f1fcc27492d26f5ad0c3cdfc63235ca0609)
2001-12-05added a REALLY gross hack into kerberos_kinit_password so thatAndrew Tridgell1-0/+21
winbindd can do a kinit this will be removed once we have code that gets a tgt and puts it in a place where cyrus-sasl can see it (This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
2001-11-29Make better use of the ads_init() function to get the kerberos relam etc.Andrew Bartlett1-2/+3
This allows us to use automagically obtained values in future, and the value from krb5.conf now. Also fix mem leaks etc. Andrew Bartlett (This used to be commit 8f9ce717819235d98a1463f20ac659cb4b4ebbd2)
2001-11-24added "net join" commandAndrew Tridgell1-0/+149
this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)