summaryrefslogtreecommitdiff
path: root/source3/libads/kerberos_verify.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-9/+5
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-1/+6
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-11/+9
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14682: Small cleanup in ads_verify_ticket.Günther Deschner1-6/+5
Guenther (This used to be commit 90df68634b508b0a58f0a15ab62e9cead85765b6)
2007-10-10r14576: Skip remaining keytab entries when we have a clear indication thatGünther Deschner1-1/+23
krb5_rd_req could decrypt the ticket but that ticket is just not valid at the moment (either not yet valid or already expired). (This also prevents an MIT kerberos related crash) Guenther (This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
2007-10-10r11846: Destroy the TALLOC_CTX on error in the Kerberos session setup and give aGünther Deschner1-3/+3
more precise inline comment why PAC verification may fail. Guenther (This used to be commit 43b57715e9b44a0a0c7cc7fe3674a5fd4369e78b)
2007-10-10r10907: Handle the case when we can't verify the PAC signature because theGünther Deschner1-5/+7
ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu <chengjie.liu@datadomain.com>. Guenther (This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-20/+74
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10285: Doh ! Guenther spotted this stupid cut-n-paste bug...Jeremy Allison1-1/+0
Thanks Guenther ! Jeremy. (This used to be commit 7335440e480599a6e16780976ab36651a6fb969d)
2007-10-10r10211: Fix another memleak (this time in the kerberos keytab code)Günther Deschner1-1/+5
Guenther (This used to be commit 9796bf45895681fee243ca8fd8297ff270c7547c)
2007-10-10r5762: Modified version of patch from Michael Brown ↵Jeremy Allison1-65/+99
<mbrown@fensystems.co.uk> to case insentively search for a principal match on logon verification in the system keytab. UNTESTED (although it compiles). Please test. Jeremy. (This used to be commit 1ace2ca1be65b4d6e92a98040fd09fdca74e8c8a)
2007-10-10r4882: Fix for #2255. Debug should have been 10 not 0.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 5557e1409a9a22759ca3bea021d4a662099e683a)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-1/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3495: Fix the build (recent kerberos-changes).Günther Deschner1-1/+0
Guenther (This used to be commit c7eab285d967345510a15e83bce508edb8e06e99)
2007-10-10r3451: Finish off kerberos salting patch. Needs testing !Jeremy Allison1-3/+2
Jeremy. (This used to be commit ff4cb6b5e80731856d6f3f7eebd8fc23902e3580)
2007-10-10r3381: More merging of the #1717 patch. Fixup some erroneous assumptions aboutJeremy Allison1-59/+67
memcpy's into fqdn names. I think the original intent was to create MYNAME.fqdn.tail.part. Will need testing to see I haven't broken keytab support. Jeremy. (This used to be commit 82acf83040654eb8b7e261518a3e5eb9caea7750)
2007-10-10r1789: compiler warnings from SuSEGerald Carter1-0/+4
(This used to be commit 7e44193be103fad273796218c8f5e5f9a1657c3c)
2007-10-10r1285: Put variable definitions into a block before the statements...Volker Lendecke1-1/+1
Volker (This used to be commit e8786506b86f129ba6401c09b89a26bfb335440e)
2007-10-10r1282: gcc 3.2 on SuSE 8.2 does not like #ifdefs inside a macro argument ↵Volker Lendecke1-3/+5
(DEBUG). Volker (This used to be commit b491e76625f0d20fa9db2a3dbb22adc34ca7d414)
2007-10-10r1244: More Heimdal compile fixes.Jeremy Allison1-3/+9
Jeremy. (This used to be commit 92a5dc1880a4fe0f3c3b56fc0958dbac77506b4f)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison1-0/+8
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1215: Intermediate checkin of the new keytab code. I need to make sure IJeremy Allison1-99/+198
haven't broken krb5 ticket verification in the mainline code path, also need to check with valgrind. Everything now compiles (MIT, need to also check Heimdal) and the "net keytab" utility code will follow. Jeremy. (This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
2004-02-03Fix for a bug where the mutex could be left locked. Also remove theJeremy Allison1-146/+8
memory keytab code which has no effect. Driven by bug report from "Rob J. Caskey" <rcaskey@uga.edu>. Jeremy. (This used to be commit 4cb8facbf9fa6fa5233fdb363ceac4b304d263d4)
2004-01-06Fix segfualt caused by incorrect configuration. If lp_realm() was not set,Andrew Bartlett1-5/+9
but security=ADS, we would attempt to free the principal name that krb5 never allocated. Also fix the dump_data() of the session key, now that we use a data_blob to store that. Andrew Bartlett (This used to be commit 4ad67f13404ef0118265ad66d8bdfa256c914ad0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-10-17Add configure test for krb5_keytab_entry keyblock vs key member. Bug #636.Tim Potter1-4/+12
(This used to be commit 3daefe9d17fb2c7b1c4d21593465e6788555b0fb)
2003-09-03Try to add memory keytab support. It also includes much of the genericJim McDonough1-1/+141
keytab support code, but it won't be enabled until we add that to smb.conf. Adapted from the work of Guenther Deschner (gd@suse.com). Please hammer on this... (This used to be commit a26fa5bee24c73cd835f59bb18162ab07760d76a)
2003-08-25Fix segfault. krb5_free_ticket does not check if it got a NULL ticket.Volker Lendecke1-1/+2
(This used to be commit 97e4778103744419ecaeb0058460041ef01b2e2a)
2003-08-15Fix memleaks.Volker Lendecke1-7/+11
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-14In ads_verify_realm, all we use in the ADS_STRUCT is theVolker Lendecke1-2/+2
auth.realm. So directly pass that instead of setting up and tearing down the ADS_STRUCT. Volker (This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
2003-07-30Don't revert something until you've seen if volker has already fixed it :-).Jeremy Allison1-4/+0
Jeremy. (This used to be commit d57d9b99dfc2a83d91b952a11eb1ae4cf37e6467)
2003-07-30Comment out mutex until I get dependencies sorted out...Jeremy Allison1-0/+4
Jeremy (This used to be commit 382d1732ca8e4d0909eb5a95f7327213913da37b)
2003-07-29Put mutex around access of replay cache for krb5 tickets. krb5 replay cacheJeremy Allison1-4/+13
is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
2003-07-29Typo on my part. I typed KRB5_KDB_BAD_ENCTYPE when I meant to type ↵Jeremy Allison1-1/+1
KRB5_BAD_ENCTYPE. Heimdal has the latter, not the former. Jeremy. (This used to be commit e8425df77c2e917c819592d93833a164ee3b5338)
2003-07-29Fix the build on Heimdal. KRB5_KDB_BAD_ENCTYPE doesn't exist on Heimdal, andJim McDonough1-1/+1
it's a different rc than KRB5_BAD_ENCTYPE (which exists on both MIT and Heimdal). This will just make the debug show up at level 3 always. Jeremy, you may want to revisit this, but it's probably not worth the hassle. (This used to be commit 4ff322ccf9c8485bcfe67e658d48f190f03547b0)
2003-07-29Improved debug messages whilst trying to track down kerb issues.Jeremy Allison1-13/+20
Jeremy. (This used to be commit 29dd71ddea480f6163ebbc9d8860a7930ae84066)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-1/+1
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-12Fixed memory leaks, added krb5 replay cache. Now I need to add code to checkJeremy Allison1-17/+72
the incoming addresses.... Jeremy. (This used to be commit 4e9359a1f67a44b2981579383327ba774e1c31f9)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-1/+1
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-06-06No matter how special this session key is, it's not worth a level 0.Andrew Bartlett1-2/+4
Hide it behind a level 10, with #ifdef DEBUG_PASSWORD instead. Andrew Bartlett (This used to be commit 9d4e327850fb00083241f3e68f866590c44e1823)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-1/+1
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-1/+1
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-16Move PAC decoding over from HEAD.Jim McDonough1-0/+6
(This used to be commit b0fd4e5555dd93c584cd86eaac080663b9e4031f)
2003-03-17The kerberos_verify compoenent of the SessionSetup sync with HEAD.Andrew Bartlett1-6/+26
Andrew Bartlett (This used to be commit 64796ed27a3842be1dde52dd4f46698e95961767)
2003-02-19Sync with HEAD for verifying kerberos tickets.Jim McDonough1-14/+31
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
2003-01-30Revert tpot's HEAD merge which broke the Heimdal build.Jeremy Allison1-45/+15
Jeremy. (This used to be commit 1298ecd0b8a3a9e0a2de42d0c049856cad65e272)
2003-01-30Sync of Heimdal kerberos stuff with HEAD. If this breaks I'm blamingTim Potter1-15/+45
the dog again. (This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
2003-01-28Get smbd to link with Heimdal. Still missing some client progs...Jeremy Allison1-5/+2
Jeremy. (This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
2003-01-23Thanks Meeester Potter, for reverting *all* my Heimdal changes becauseJeremy Allison1-40/+13
I mistyped a comma :-). Jeremy. (This used to be commit 04cc149c756c396012cfa321a74724b077302b95)
2003-01-22Merge of kerberos changes to make this branch build again!Tim Potter1-13/+40
(This used to be commit 51b319f57f28e3993919d7f3db0251a724902332)