summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos_keytab.c
AgeCommit message (Collapse)AuthorFilesLines
2010-08-13s3-krb5 Only build ADS support if arcfour-hmac-md5 is availableAndrew Bartlett1-5/+4
Modern Kerberos implementations have either defines or enums for these key types, which makes doing #ifdef difficult. This shows up in files such as libnet_samsync_keytab.c, the bulk of which is not compiled on current Fedora 12, for example. The downside is that this makes Samba unconditionally depend on the arcfour-hmac-md5 encryption type at build time. We will no longer support libraries that only support the DES based encryption types. However, the single-DES types that are supported in common with AD are already painfully weak - so much so that they are disabled by default in modern Kerberos libraries. If not found, ADS support will not be compiled in. This means that our 'net ads join' will no longer set the ACB_USE_DES_KEY_ONLY flag, and we will always try to use arcfour-hmac-md5. A future improvement would be to remove the use of the DES encryption types totally, but this would require that any ACB_USE_DES_KEY_ONLY flag be removed from existing joins. Andrew Bartlett Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-05s3-secrets: only include secrets.h when needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+1
Guenther
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-04-07s3:kerberos Rework smb_krb5_unparse_name() to take a talloc contextAndrew Bartlett1-13/+14
Signed-off-by: Günther Deschner <gd@samba.org>
2008-12-23More asprintf warning fixes.Jeremy Allison1-4/+16
Jeremy.
2008-12-02s3-net: allow to list a keytab generated using net rpc vampire.Günther Deschner1-2/+5
Guenther
2008-08-29kerberos: use KRB5_KT_KEY macro where appropriate.Günther Deschner1-9/+2
Guenther (This used to be commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22)
2008-07-30Fix uninitialized variables.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 1db7e00a5400863fd5dbb81c1a4c6ea6092d0495)
2008-07-18kerberos: make smb_krb5_kt_add_entry() static.Günther Deschner1-6/+6
Guenther (This used to be commit 04b1847f87d166819dfe0f8c27c8cd9fc062544f)
2008-06-30kerberos: allow to keep entries with old kvno's while creating keytab.Günther Deschner1-2/+4
Guenther (This used to be commit 6194244bd9fcc1fb736f3d91433f107270cac1c9)
2008-06-30kerberos: rename smb_krb5_kt_add_entry to smb_krb5_kt_add_entry_ext.Günther Deschner1-25/+39
Guenther (This used to be commit 48600a0019d70d22574cf08e8fe19d44cc332a0f)
2008-06-24kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without ↵Günther Deschner1-6/+10
salting them. Guenther (This used to be commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5)
2008-06-17libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.Günther Deschner1-5/+5
Guenther (This used to be commit cb7ace209c2051ae02647188715fa6ee324c2bf6)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-1/+1
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23651: Always, always, always compile before commit...Günther Deschner1-1/+1
Guenther (This used to be commit accb40446ad3f872c5167fc2306d892553293b7b)
2007-10-10r23650: Fix remaining callers of krb5_kt_default().Günther Deschner1-3/+4
Guenther (This used to be commit b9d7a2962a472afb0c6b8e3ac5c2c819d4af2b39)
2007-10-10r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).Günther Deschner1-137/+1
Guenther (This used to be commit 19020d19dca7f34be92c8c2ec49ae7dbde60f8c1)
2007-10-10r23648: Allow to list a custom krb5 keytab file with:Günther Deschner1-2/+2
net ads keytab list /path/to/krb5.keytab Guenther (This used to be commit a2befee3f240543ea02ea99cebad886b54ae64eb)
2007-10-10r23646: Generalize our internal keytab handling to support a broader range ↵Günther Deschner1-47/+140
of default keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also fixes keytab support with Heimdal (which supports the WRFILE pragma as well now). Guenther (This used to be commit 7ca002f4cc9ec4139c0c48952ebf05f89b5795ef)
2007-10-10r22479: Add "net ads keytab list".Günther Deschner1-0/+112
Guenther (This used to be commit 9ec76c542775ae58ff03f42ebfa1acc1a63a1bb1)
2007-10-10r21863: Fix debug messages with incorrect function name.Jeremy Allison1-15/+15
Jeremy. (This used to be commit d432d81c8321a4444b970169a5c7c3c5709de8e5)
2007-10-10r21561: It makes absolutely no sense to call krb5_kt_resolve() two timesGünther Deschner1-6/+1
directly after another. Guenther (This used to be commit 76ba11d7770bac7c6db2eb1640139bbe270d82c3)
2007-10-10r20486: Always upper case the "host/<sAMAccoutnName>" entry in the keytab fileGerald Carter1-1/+6
so apps will know which one to look for, (This used to be commit d4a5dc3ad5f56a5f741424ecc4fffa0ef39bdc67)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-176/+215
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-11/+11
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r5759: Patch from Doug VanLeuven <roamdad@sonic.net> to add more case/realm/nameJeremy Allison1-2/+21
permutations to the kerberos keytab. Jeremy. (This used to be commit c687e73f242967cd3a78db66c1dd23349766ebb8)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-1/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3502: Tidy up debugging in kerberos_keytab code.Jeremy Allison1-32/+48
Jeremy. (This used to be commit 82651c1b1704d90ca52be1463ee871801c607d3b)
2007-10-10r3492: Fixes from testing kerberos salted principal fix.Jeremy Allison1-1/+1
Jeremy. (This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)
2007-10-10r3381: More merging of the #1717 patch. Fixup some erroneous assumptions aboutJeremy Allison1-3/+10
memcpy's into fqdn names. I think the original intent was to create MYNAME.fqdn.tail.part. Will need testing to see I haven't broken keytab support. Jeremy. (This used to be commit 82acf83040654eb8b7e261518a3e5eb9caea7750)
2007-10-10r3379: More merging of kerberos keytab and salting fixes from Nalin ↵Jeremy Allison1-15/+74
Dahyabhai <nalin@redhat.com> (bugid #1717). Jeremy. (This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019)
2007-10-10r1373: Fix from Guenther Deschner <gd@sernet.de> to ensure last error return ↵Jeremy Allison1-1/+2
is not invalid. Jeremy. (This used to be commit 4bdf914cba2a63d186138d1341a7260ad79da1f5)
2007-10-10r1243: Fix so this compiles with Heimdal (in Heimdal krb5_kt_cursor is a ↵Jeremy Allison1-16/+34
struct not a pointer). Jeremy. (This used to be commit 940f893d485a01e73afe714a70d724c2d41c7ad4)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison1-9/+12
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1222: Valgrind memory leak fixes. Still tracking down a strange one...Jeremy Allison1-0/+4
Can't fix the krb5 memory leaks inside that library :-(. Jeremy. (This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
2007-10-10r1221: Added the last of the system keytab patch from "Dan Perry" ↵Jeremy Allison1-1/+1
<dperry@pppl.gov>, fixed valgrind detected mem corruption in libads/kerberos_keytab.c. Jeremy. (This used to be commit 286f4c809cb1532b3f8ae7ddf92349c68cc8ce31)
2007-10-10r1215: Intermediate checkin of the new keytab code. I need to make sure IJeremy Allison1-23/+7
haven't broken krb5 ticket verification in the mainline code path, also need to check with valgrind. Everything now compiles (MIT, need to also check Heimdal) and the "net keytab" utility code will follow. Jeremy. (This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
2007-10-10r1214: Now compiles. Changed krb5_kt_free_entry to ↵Jeremy Allison1-12/+12
krb5_free_keytab_entry_contents Jeremy. (This used to be commit be8a2dc00dd876c4b596600ae72d4ac05f9ebe64)
2007-10-10r1193: Ensure we check for and use krb5_free_unparsed_name().Jeremy Allison1-3/+4
Jeremy. (This used to be commit af5a08f5ad895cb33c9134771da19ba5e709e742)
2007-10-10r1192: Fixed all memleaks/error code return path leaks I can find. Not sure ↵Jeremy Allison1-42/+94
if compiles yet, but will soon :-). Jeremy. (This used to be commit 0d982956f6ba2f284ffa4313a9e7581a79dbf397)
2007-10-10r1184: Keep latest changes... not compilable yet.Jeremy Allison1-13/+30
Jeremy. (This used to be commit 57c037c6c92d28b70e36859a639c53979126ff01)
2007-10-10r1183: Updates to the code cleanup so I don't lose my changes...Jeremy Allison1-52/+62
Jeremy. (This used to be commit 786a440c189556d5c122b2c9ddca9fdf6bd65d1d)
2007-10-10r1182: Partial re-write of keytab code to clean up, remove memory leaks etc. ↵Jeremy Allison1-47/+77
Work in progress ! It seems the krb5 interfaces are so horrible it's impossible to write good error checking code :-(. Jeremy. (This used to be commit 03f8c8bc07c9d8a378a34c271dcc088d17adb342)
2007-10-10r1180: New file - basis of new system keytab code.Jeremy Allison1-0/+434
Jeremy. (This used to be commit 858e849af697bba67ebaa970257d93b6cff7d9e0)