summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos_verify.c
AgeCommit message (Collapse)AuthorFilesLines
2011-04-20libcli/auth Move PAC parsing and verification in common.Andrew Bartlett1-3/+3
This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
2010-08-13s3-krb5 Only build ADS support if arcfour-hmac-md5 is availableAndrew Bartlett1-2/+0
Modern Kerberos implementations have either defines or enums for these key types, which makes doing #ifdef difficult. This shows up in files such as libnet_samsync_keytab.c, the bulk of which is not compiled on current Fedora 12, for example. The downside is that this makes Samba unconditionally depend on the arcfour-hmac-md5 encryption type at build time. We will no longer support libraries that only support the DES based encryption types. However, the single-DES types that are supported in common with AD are already painfully weak - so much so that they are disabled by default in modern Kerberos libraries. If not found, ADS support will not be compiled in. This means that our 'net ads join' will no longer set the ACB_USE_DES_KEY_ONLY flag, and we will always try to use arcfour-hmac-md5. A future improvement would be to remove the use of the DES encryption types totally, but this would require that any ACB_USE_DES_KEY_ONLY flag be removed from existing joins. Andrew Bartlett Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-06s3-krb5: include krb5pac.h where needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3-secrets: only include secrets.h when needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+1
Guenther
2010-07-30cleanups: Trailing spaces, line length, etc...Simo Sorce1-111/+163
2010-07-20s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keysSimo Sorce1-1/+2
2010-06-02s3: Allow previous password to be stored and use it to check ticketsMatthieu Patou1-37/+58
This patch is to fix bug 7099. It stores the current password in the previous password key when the password is changed. It also check the user ticket against previous password. Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-11s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATAAndrew Bartlett1-5/+20
All the callers just want the PAC_LOGON_INFO, so search for that in ads_verify_ticket(), and don't bother the callers with the rest of the PAC. This change makes sense on it's own (removing boilerplate wrappers that just confuse the code), but it also makes it much easier to implement a matching ads_verify_ticket() function in Samba4 for the s3compat proposal. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-04-07s3:kerberos Rework smb_krb5_unparse_name() to take a talloc contextAndrew Bartlett1-3/+3
Signed-off-by: Günther Deschner <gd@samba.org>
2009-02-03s3-kerberos: use KRB5_KT_KEY compat macro.Günther Deschner1-7/+1
Guenther
2009-02-03s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.Günther Deschner1-3/+10
Guenther
2009-02-03Revert "fix for commit d96248a9b46 which broke Heimdal builds"Günther Deschner1-6/+0
This does not build. This reverts commit af736923a541df1a37afeb72b8a5652932c4c69c.
2009-02-02fix for commit d96248a9b46 which broke Heimdal buildsBjörn Jacke1-0/+6
2009-02-01Add two new parameters to control how we verify kerberos tickets. Removes ↵Dan Sledz1-17/+112
lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket.
2008-12-30Fix more "ignore return value" warnings from gcc 4.3.Jeremy Allison1-9/+22
Jeremy
2008-06-24kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without ↵Günther Deschner1-1/+1
salting them. Guenther (This used to be commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5)
2008-04-10Fix typo.Karolin Seeger1-1/+1
Karolin (This used to be commit 42fbbeb1caf93e4e17bb62f31ff90a853bd169fb)
2008-04-09Fix typos.Karolin Seeger1-1/+1
Karolin (This used to be commit 6cee34703503fbf3629057345fe221b866560648)
2008-03-10Use a separate tdb for mutexesVolker Lendecke1-9/+6
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC mutex is needed per-node anyway, so it is perfectly fine to use a local mutex only. (This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6)
2008-02-17Fix some more callers of PAC_DATA.Günther Deschner1-1/+1
Guenther (This used to be commit ea609d1b0e82d7c366dd73013228003136264b64)
2008-01-11Fix CID 476. Ensure a valid pac_data pointer is always passed toJeremy Allison1-2/+1
ads_verify_ticket as it's always derefed. Jeremy. (This used to be commit 0599d57efff0f417f75510e8b08c3cb7b4bcfcd8)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-7/+7
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25080: Once we decrypted the packet but have timing problems (closkew, tkt ↵Günther Deschner1-1/+9
not yet or no longer valid) there is no point to bother the keytab routines. Guenther (This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)
2007-10-10r24066: Fix memleak found by Volker. We don't leak keys now with MIT and ↵Günther Deschner1-0/+1
Heimdal. Guenther (This used to be commit 7755ad750facc44b6a5df2136cb536547048cd48)
2007-10-10r24065: According to gd, this breaks heimdal. Thanks for checking!Volker Lendecke1-3/+0
(This used to be commit ea5f53eac81e8a969587eb3996b16a1afd948877)
2007-10-10r24058: Fix some memory leaks in ads_secrets_verify_ticket.Volker Lendecke1-0/+3
Jeremy, Günther, please review! Thanks, Volker (This used to be commit 000e096c277a71ca30c1c109aae62241ad466bee)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23647: Use smb_krb5_open_keytab() in smbd as well.Günther Deschner1-2/+2
Guenther (This used to be commit d22c0d291e1b4a1412164d257310bbbb99de6500)
2007-10-10r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting ↵Gerald Carter1-1/+1
context flags. (This used to be commit 903145e957cd05b219fdf7d5fc1e35430938a24e)
2007-10-10r23474: Here's a small patch that disables the libkrb5.so replay cacheGerald Carter1-39/+63
when verifying a ticket from winbindd_pam.c. I've found during multiple, fast, automated SSH logins (such as from a cron script) that the replay cache in MIT's krb5 lib will occasionally fail the krb5_rd_req() as a replay attack. There seems to be a small window during which the MIT krb5 libs could reproduce identical time stamps for ctime and cusec in the authenticator since Unix systems only give back milli-seconds rather than the micro-seconds needed by the authenticator. Checked against MIT 1.5.1. Have not researched how Heimdal does it. My thinking is that if someone can spoof the KDC and TDS services we are pretty hopeless anyways. (This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-2/+2
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r21845: Refactor the sessionsetupX code a little to allow usJeremy Allison1-31/+72
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client when there's clock skew. Will help people debug this. Prepare us for being able to return the correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED" error with associated krb5 clock skew error to allow clients to re-sync time with us when we're eventually able to be a KDC. Jeremy. (This used to be commit c426340fc79a6b446033433b8de599130adffe28)
2007-10-10r21558: Safe more indent, again no code changes.Günther Deschner1-37/+37
Guenther (This used to be commit 7b18a4730d61c04867fc11df8980943d422589d8)
2007-10-10r21557: indent only fix. No code change.Günther Deschner1-49/+49
Guenther (This used to be commit 8ff0903a17cfd8c09b73ef637484a72719e82071)
2007-10-10r21556: Remove superfluos return check in ads_keytab_verify_ticket().Günther Deschner1-2/+0
Guenther (This used to be commit 020601ea0abeb15f2aef9da354fcf6d7d5459710)
2007-10-10r18047: More C++ stuffVolker Lendecke1-2/+2
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
2007-10-10r17972: revert accidental commit to ads_verify_ticket()Gerald Carter1-7/+5
(This used to be commit 95f6b22e5179e1fb738c07112de2e06024fc9a83)
2007-10-10r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the ↵Gerald Carter1-5/+7
SID<->uid/gid cache. FIxes a bug in token creation (This used to be commit fa05708789654a8a34cb4a4068514a0b3d950653)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-9/+5
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-1/+6
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-11/+9
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14682: Small cleanup in ads_verify_ticket.Günther Deschner1-6/+5
Guenther (This used to be commit 90df68634b508b0a58f0a15ab62e9cead85765b6)
2007-10-10r14576: Skip remaining keytab entries when we have a clear indication thatGünther Deschner1-1/+23
krb5_rd_req could decrypt the ticket but that ticket is just not valid at the moment (either not yet valid or already expired). (This also prevents an MIT kerberos related crash) Guenther (This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
2007-10-10r11846: Destroy the TALLOC_CTX on error in the Kerberos session setup and give aGünther Deschner1-3/+3
more precise inline comment why PAC verification may fail. Guenther (This used to be commit 43b57715e9b44a0a0c7cc7fe3674a5fd4369e78b)
2007-10-10r10907: Handle the case when we can't verify the PAC signature because theGünther Deschner1-5/+7
ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu <chengjie.liu@datadomain.com>. Guenther (This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-20/+74
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10285: Doh ! Guenther spotted this stupid cut-n-paste bug...Jeremy Allison1-1/+0
Thanks Guenther ! Jeremy. (This used to be commit 7335440e480599a6e16780976ab36651a6fb969d)