Age | Commit message (Collapse) | Author | Files | Lines |
|
Heimdal's krb5_kt_start_seq_get() will leave a non 0 fd in the krb5_kt_cursor
struct when it cannot find a given keytab.
Guenther
|
|
|
|
|
|
|
|
|
|
|
|
add helper function for both smb_krb5_kt_add_entry_ext() and
ads_keytab_flush()
|
|
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
Guenther
|
|
Guenther
|
|
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Jeremy.
|
|
Guenther
|
|
Guenther
(This used to be commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22)
|
|
Jeremy.
(This used to be commit 1db7e00a5400863fd5dbb81c1a4c6ea6092d0495)
|
|
Guenther
(This used to be commit 04b1847f87d166819dfe0f8c27c8cd9fc062544f)
|
|
Guenther
(This used to be commit 6194244bd9fcc1fb736f3d91433f107270cac1c9)
|
|
Guenther
(This used to be commit 48600a0019d70d22574cf08e8fe19d44cc332a0f)
|
|
salting them.
Guenther
(This used to be commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5)
|
|
Guenther
(This used to be commit cb7ace209c2051ae02647188715fa6ee324c2bf6)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
Guenther
(This used to be commit accb40446ad3f872c5167fc2306d892553293b7b)
|
|
Guenther
(This used to be commit b9d7a2962a472afb0c6b8e3ac5c2c819d4af2b39)
|
|
Guenther
(This used to be commit 19020d19dca7f34be92c8c2ec49ae7dbde60f8c1)
|
|
net ads keytab list /path/to/krb5.keytab
Guenther
(This used to be commit a2befee3f240543ea02ea99cebad886b54ae64eb)
|
|
of default
keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also
fixes keytab support with Heimdal (which supports the WRFILE pragma as well
now).
Guenther
(This used to be commit 7ca002f4cc9ec4139c0c48952ebf05f89b5795ef)
|
|
Guenther
(This used to be commit 9ec76c542775ae58ff03f42ebfa1acc1a63a1bb1)
|
|
Jeremy.
(This used to be commit d432d81c8321a4444b970169a5c7c3c5709de8e5)
|
|
directly after another.
Guenther
(This used to be commit 76ba11d7770bac7c6db2eb1640139bbe270d82c3)
|
|
so apps will know which one to look for,
(This used to be commit d4a5dc3ad5f56a5f741424ecc4fffa0ef39bdc67)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
|
|
permutations to the kerberos keytab.
Jeremy.
(This used to be commit c687e73f242967cd3a78db66c1dd23349766ebb8)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Jeremy.
(This used to be commit 82651c1b1704d90ca52be1463ee871801c607d3b)
|
|
Jeremy.
(This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)
|
|
memcpy's into fqdn names. I think the original intent was to create
MYNAME.fqdn.tail.part.
Will need testing to see I haven't broken keytab support.
Jeremy.
(This used to be commit 82acf83040654eb8b7e261518a3e5eb9caea7750)
|
|
Dahyabhai <nalin@redhat.com>
(bugid #1717).
Jeremy.
(This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019)
|
|
is not invalid.
Jeremy.
(This used to be commit 4bdf914cba2a63d186138d1341a7260ad79da1f5)
|
|
struct not a pointer).
Jeremy.
(This used to be commit 940f893d485a01e73afe714a70d724c2d41c7ad4)
|
|
it compiles with Heimdal.
Jeremy.
(This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
|
|
Can't fix the krb5 memory leaks inside that library :-(.
Jeremy.
(This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
|
|
<dperry@pppl.gov>,
fixed valgrind detected mem corruption in libads/kerberos_keytab.c.
Jeremy.
(This used to be commit 286f4c809cb1532b3f8ae7ddf92349c68cc8ce31)
|
|
haven't broken krb5 ticket verification in the mainline code path,
also need to check with valgrind. Everything now compiles (MIT, need
to also check Heimdal) and the "net keytab" utility code will follow.
Jeremy.
(This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
|
|
krb5_free_keytab_entry_contents
Jeremy.
(This used to be commit be8a2dc00dd876c4b596600ae72d4ac05f9ebe64)
|
|
Jeremy.
(This used to be commit af5a08f5ad895cb33c9134771da19ba5e709e742)
|
|
if compiles yet,
but will soon :-).
Jeremy.
(This used to be commit 0d982956f6ba2f284ffa4313a9e7581a79dbf397)
|