summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos_verify.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r24066: Fix memleak found by Volker. We don't leak keys now with MIT and ↵Günther Deschner1-0/+1
Heimdal. Guenther (This used to be commit 7755ad750facc44b6a5df2136cb536547048cd48)
2007-10-10r24065: According to gd, this breaks heimdal. Thanks for checking!Volker Lendecke1-3/+0
(This used to be commit ea5f53eac81e8a969587eb3996b16a1afd948877)
2007-10-10r24058: Fix some memory leaks in ads_secrets_verify_ticket.Volker Lendecke1-0/+3
Jeremy, Günther, please review! Thanks, Volker (This used to be commit 000e096c277a71ca30c1c109aae62241ad466bee)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23647: Use smb_krb5_open_keytab() in smbd as well.Günther Deschner1-2/+2
Guenther (This used to be commit d22c0d291e1b4a1412164d257310bbbb99de6500)
2007-10-10r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting ↵Gerald Carter1-1/+1
context flags. (This used to be commit 903145e957cd05b219fdf7d5fc1e35430938a24e)
2007-10-10r23474: Here's a small patch that disables the libkrb5.so replay cacheGerald Carter1-39/+63
when verifying a ticket from winbindd_pam.c. I've found during multiple, fast, automated SSH logins (such as from a cron script) that the replay cache in MIT's krb5 lib will occasionally fail the krb5_rd_req() as a replay attack. There seems to be a small window during which the MIT krb5 libs could reproduce identical time stamps for ctime and cusec in the authenticator since Unix systems only give back milli-seconds rather than the micro-seconds needed by the authenticator. Checked against MIT 1.5.1. Have not researched how Heimdal does it. My thinking is that if someone can spoof the KDC and TDS services we are pretty hopeless anyways. (This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-2/+2
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r21845: Refactor the sessionsetupX code a little to allow usJeremy Allison1-31/+72
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client when there's clock skew. Will help people debug this. Prepare us for being able to return the correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED" error with associated krb5 clock skew error to allow clients to re-sync time with us when we're eventually able to be a KDC. Jeremy. (This used to be commit c426340fc79a6b446033433b8de599130adffe28)
2007-10-10r21558: Safe more indent, again no code changes.Günther Deschner1-37/+37
Guenther (This used to be commit 7b18a4730d61c04867fc11df8980943d422589d8)
2007-10-10r21557: indent only fix. No code change.Günther Deschner1-49/+49
Guenther (This used to be commit 8ff0903a17cfd8c09b73ef637484a72719e82071)
2007-10-10r21556: Remove superfluos return check in ads_keytab_verify_ticket().Günther Deschner1-2/+0
Guenther (This used to be commit 020601ea0abeb15f2aef9da354fcf6d7d5459710)
2007-10-10r18047: More C++ stuffVolker Lendecke1-2/+2
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
2007-10-10r17972: revert accidental commit to ads_verify_ticket()Gerald Carter1-7/+5
(This used to be commit 95f6b22e5179e1fb738c07112de2e06024fc9a83)
2007-10-10r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the ↵Gerald Carter1-5/+7
SID<->uid/gid cache. FIxes a bug in token creation (This used to be commit fa05708789654a8a34cb4a4068514a0b3d950653)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-9/+5
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-1/+6
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-11/+9
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14682: Small cleanup in ads_verify_ticket.Günther Deschner1-6/+5
Guenther (This used to be commit 90df68634b508b0a58f0a15ab62e9cead85765b6)
2007-10-10r14576: Skip remaining keytab entries when we have a clear indication thatGünther Deschner1-1/+23
krb5_rd_req could decrypt the ticket but that ticket is just not valid at the moment (either not yet valid or already expired). (This also prevents an MIT kerberos related crash) Guenther (This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
2007-10-10r11846: Destroy the TALLOC_CTX on error in the Kerberos session setup and give aGünther Deschner1-3/+3
more precise inline comment why PAC verification may fail. Guenther (This used to be commit 43b57715e9b44a0a0c7cc7fe3674a5fd4369e78b)
2007-10-10r10907: Handle the case when we can't verify the PAC signature because theGünther Deschner1-5/+7
ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu <chengjie.liu@datadomain.com>. Guenther (This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-20/+74
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10285: Doh ! Guenther spotted this stupid cut-n-paste bug...Jeremy Allison1-1/+0
Thanks Guenther ! Jeremy. (This used to be commit 7335440e480599a6e16780976ab36651a6fb969d)
2007-10-10r10211: Fix another memleak (this time in the kerberos keytab code)Günther Deschner1-1/+5
Guenther (This used to be commit 9796bf45895681fee243ca8fd8297ff270c7547c)
2007-10-10r5762: Modified version of patch from Michael Brown ↵Jeremy Allison1-65/+99
<mbrown@fensystems.co.uk> to case insentively search for a principal match on logon verification in the system keytab. UNTESTED (although it compiles). Please test. Jeremy. (This used to be commit 1ace2ca1be65b4d6e92a98040fd09fdca74e8c8a)
2007-10-10r4882: Fix for #2255. Debug should have been 10 not 0.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 5557e1409a9a22759ca3bea021d4a662099e683a)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-1/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3495: Fix the build (recent kerberos-changes).Günther Deschner1-1/+0
Guenther (This used to be commit c7eab285d967345510a15e83bce508edb8e06e99)
2007-10-10r3451: Finish off kerberos salting patch. Needs testing !Jeremy Allison1-3/+2
Jeremy. (This used to be commit ff4cb6b5e80731856d6f3f7eebd8fc23902e3580)
2007-10-10r3381: More merging of the #1717 patch. Fixup some erroneous assumptions aboutJeremy Allison1-59/+67
memcpy's into fqdn names. I think the original intent was to create MYNAME.fqdn.tail.part. Will need testing to see I haven't broken keytab support. Jeremy. (This used to be commit 82acf83040654eb8b7e261518a3e5eb9caea7750)
2007-10-10r1789: compiler warnings from SuSEGerald Carter1-0/+4
(This used to be commit 7e44193be103fad273796218c8f5e5f9a1657c3c)
2007-10-10r1285: Put variable definitions into a block before the statements...Volker Lendecke1-1/+1
Volker (This used to be commit e8786506b86f129ba6401c09b89a26bfb335440e)
2007-10-10r1282: gcc 3.2 on SuSE 8.2 does not like #ifdefs inside a macro argument ↵Volker Lendecke1-3/+5
(DEBUG). Volker (This used to be commit b491e76625f0d20fa9db2a3dbb22adc34ca7d414)
2007-10-10r1244: More Heimdal compile fixes.Jeremy Allison1-3/+9
Jeremy. (This used to be commit 92a5dc1880a4fe0f3c3b56fc0958dbac77506b4f)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison1-0/+8
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1215: Intermediate checkin of the new keytab code. I need to make sure IJeremy Allison1-99/+198
haven't broken krb5 ticket verification in the mainline code path, also need to check with valgrind. Everything now compiles (MIT, need to also check Heimdal) and the "net keytab" utility code will follow. Jeremy. (This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
2004-02-03Fix for a bug where the mutex could be left locked. Also remove theJeremy Allison1-146/+8
memory keytab code which has no effect. Driven by bug report from "Rob J. Caskey" <rcaskey@uga.edu>. Jeremy. (This used to be commit 4cb8facbf9fa6fa5233fdb363ceac4b304d263d4)
2004-01-06Fix segfualt caused by incorrect configuration. If lp_realm() was not set,Andrew Bartlett1-5/+9
but security=ADS, we would attempt to free the principal name that krb5 never allocated. Also fix the dump_data() of the session key, now that we use a data_blob to store that. Andrew Bartlett (This used to be commit 4ad67f13404ef0118265ad66d8bdfa256c914ad0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-10-17Add configure test for krb5_keytab_entry keyblock vs key member. Bug #636.Tim Potter1-4/+12
(This used to be commit 3daefe9d17fb2c7b1c4d21593465e6788555b0fb)
2003-09-03Try to add memory keytab support. It also includes much of the genericJim McDonough1-1/+141
keytab support code, but it won't be enabled until we add that to smb.conf. Adapted from the work of Guenther Deschner (gd@suse.com). Please hammer on this... (This used to be commit a26fa5bee24c73cd835f59bb18162ab07760d76a)
2003-08-25Fix segfault. krb5_free_ticket does not check if it got a NULL ticket.Volker Lendecke1-1/+2
(This used to be commit 97e4778103744419ecaeb0058460041ef01b2e2a)
2003-08-15Fix memleaks.Volker Lendecke1-7/+11
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-14In ads_verify_realm, all we use in the ADS_STRUCT is theVolker Lendecke1-2/+2
auth.realm. So directly pass that instead of setting up and tearing down the ADS_STRUCT. Volker (This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
2003-07-30Don't revert something until you've seen if volker has already fixed it :-).Jeremy Allison1-4/+0
Jeremy. (This used to be commit d57d9b99dfc2a83d91b952a11eb1ae4cf37e6467)
2003-07-30Comment out mutex until I get dependencies sorted out...Jeremy Allison1-0/+4
Jeremy (This used to be commit 382d1732ca8e4d0909eb5a95f7327213913da37b)
2003-07-29Put mutex around access of replay cache for krb5 tickets. krb5 replay cacheJeremy Allison1-4/+13
is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
2003-07-29Typo on my part. I typed KRB5_KDB_BAD_ENCTYPE when I meant to type ↵Jeremy Allison1-1/+1
KRB5_BAD_ENCTYPE. Heimdal has the latter, not the former. Jeremy. (This used to be commit e8425df77c2e917c819592d93833a164ee3b5338)