summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos_verify.c
AgeCommit message (Collapse)AuthorFilesLines
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-10-17Add configure test for krb5_keytab_entry keyblock vs key member. Bug #636.Tim Potter1-4/+12
(This used to be commit 3daefe9d17fb2c7b1c4d21593465e6788555b0fb)
2003-09-03Try to add memory keytab support. It also includes much of the genericJim McDonough1-1/+141
keytab support code, but it won't be enabled until we add that to smb.conf. Adapted from the work of Guenther Deschner (gd@suse.com). Please hammer on this... (This used to be commit a26fa5bee24c73cd835f59bb18162ab07760d76a)
2003-08-25Fix segfault. krb5_free_ticket does not check if it got a NULL ticket.Volker Lendecke1-1/+2
(This used to be commit 97e4778103744419ecaeb0058460041ef01b2e2a)
2003-08-15Fix memleaks.Volker Lendecke1-7/+11
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-14In ads_verify_realm, all we use in the ADS_STRUCT is theVolker Lendecke1-2/+2
auth.realm. So directly pass that instead of setting up and tearing down the ADS_STRUCT. Volker (This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
2003-07-30Don't revert something until you've seen if volker has already fixed it :-).Jeremy Allison1-4/+0
Jeremy. (This used to be commit d57d9b99dfc2a83d91b952a11eb1ae4cf37e6467)
2003-07-30Comment out mutex until I get dependencies sorted out...Jeremy Allison1-0/+4
Jeremy (This used to be commit 382d1732ca8e4d0909eb5a95f7327213913da37b)
2003-07-29Put mutex around access of replay cache for krb5 tickets. krb5 replay cacheJeremy Allison1-4/+13
is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
2003-07-29Typo on my part. I typed KRB5_KDB_BAD_ENCTYPE when I meant to type ↵Jeremy Allison1-1/+1
KRB5_BAD_ENCTYPE. Heimdal has the latter, not the former. Jeremy. (This used to be commit e8425df77c2e917c819592d93833a164ee3b5338)
2003-07-29Fix the build on Heimdal. KRB5_KDB_BAD_ENCTYPE doesn't exist on Heimdal, andJim McDonough1-1/+1
it's a different rc than KRB5_BAD_ENCTYPE (which exists on both MIT and Heimdal). This will just make the debug show up at level 3 always. Jeremy, you may want to revisit this, but it's probably not worth the hassle. (This used to be commit 4ff322ccf9c8485bcfe67e658d48f190f03547b0)
2003-07-29Improved debug messages whilst trying to track down kerb issues.Jeremy Allison1-13/+20
Jeremy. (This used to be commit 29dd71ddea480f6163ebbc9d8860a7930ae84066)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-1/+1
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-12Fixed memory leaks, added krb5 replay cache. Now I need to add code to checkJeremy Allison1-17/+72
the incoming addresses.... Jeremy. (This used to be commit 4e9359a1f67a44b2981579383327ba774e1c31f9)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-1/+1
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-06-06No matter how special this session key is, it's not worth a level 0.Andrew Bartlett1-2/+4
Hide it behind a level 10, with #ifdef DEBUG_PASSWORD instead. Andrew Bartlett (This used to be commit 9d4e327850fb00083241f3e68f866590c44e1823)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-1/+1
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-1/+1
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-16Move PAC decoding over from HEAD.Jim McDonough1-0/+6
(This used to be commit b0fd4e5555dd93c584cd86eaac080663b9e4031f)
2003-03-17The kerberos_verify compoenent of the SessionSetup sync with HEAD.Andrew Bartlett1-6/+26
Andrew Bartlett (This used to be commit 64796ed27a3842be1dde52dd4f46698e95961767)
2003-02-19Sync with HEAD for verifying kerberos tickets.Jim McDonough1-14/+31
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
2003-01-30Revert tpot's HEAD merge which broke the Heimdal build.Jeremy Allison1-45/+15
Jeremy. (This used to be commit 1298ecd0b8a3a9e0a2de42d0c049856cad65e272)
2003-01-30Sync of Heimdal kerberos stuff with HEAD. If this breaks I'm blamingTim Potter1-15/+45
the dog again. (This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
2003-01-28Get smbd to link with Heimdal. Still missing some client progs...Jeremy Allison1-5/+2
Jeremy. (This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
2003-01-23Thanks Meeester Potter, for reverting *all* my Heimdal changes becauseJeremy Allison1-40/+13
I mistyped a comma :-). Jeremy. (This used to be commit 04cc149c756c396012cfa321a74724b077302b95)
2003-01-22Merge of kerberos changes to make this branch build again!Tim Potter1-13/+40
(This used to be commit 51b319f57f28e3993919d7f3db0251a724902332)
2003-01-21Get closer to Heimdal compile... Damn. HEAD has different code inJeremy Allison1-14/+3
kerberos_verify... Jeremy. (This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-2/+1
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-1/+1
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-06-25Break up samba's object dependencies, and its prototype includes.Andrew Bartlett1-0/+151
Now smbclient, net, and swat use their own proto files - now the global proto.h The change to libads/kerberos.c was to break up the dependency on secrets.c - we want to be able to write an ADS client that doesn't need local secrets. I have other breakups in the works - I will remove the dependency of rpc_parse on passdb (and therefore secrets.c) shortly. (NOTE: This patch does *not* break up includes.h, or other such forbidden actions). Andrew Bartlett (This used to be commit edb41dad2df0ae3db364dbc3896cc75956262edf)