summaryrefslogtreecommitdiff
path: root/source3/libsmb/clikrb5.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16269: Fix the build.Günther Deschner1-3/+3
Guenther (This used to be commit 546710d58c07acdaa175caa48cec4d3f2bc657ad)
2007-10-10r16268: Add TCP fallback for our implementation of the CHANGEPW kpasswd calls.Günther Deschner1-1/+58
This patch is mainly based on the work of Todd Stecher <tstecher@isilon.com> and has been reviewed by Jeremy. I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal 0.7.2 and 0.6.1rc3. Guenther (This used to be commit 535d03cbe8b021e9aa6d74b62d81b867c494c957)
2007-10-10r15243: Sorry for the breakage:Günther Deschner1-0/+9
* Fix the build without kerberos headers * Fix memleak in the krb5_address handling Guenther (This used to be commit 10e42117559d4bc6a34e41a94914bf6c65c3477f)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+98
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15216: Fix the build for machines without krb5. Oops, sorry.Jeremy Allison1-2/+2
Jeremy. (This used to be commit bea87e2df45c67cc75d91bd3ed1acc4c64a1c8ea)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison1-10/+83
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14506: Remove remaining references to a KCM credential cache type.Günther Deschner1-1/+1
Guenther (This used to be commit aae8f8ae7a79d06c74151186f3c2470bdec5687d)
2007-10-10r14218: Fix Coverity Bug # 2Volker Lendecke1-5/+0
(This used to be commit 26377b63a3a3d2d5ed23bdbb5f22b70ec7d3fcad)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-12/+159
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13020: Prevent cli_krb5_get_ticket of getting into an infite loop. This wholeGünther Deschner1-1/+4
area of code needs to be reworked later on. Guenther (This used to be commit 088abfcdd1d6b28409d4b2917bc2aeb5d371f675)
2007-10-10r13012: Fix #3421 - it turns out krb5_kt_get_entry() on MITJeremy Allison1-12/+12
does an implicit open/read/close and blows away an open keytab handle - so make sure we use a new handle. Wonderful analysis from Luke <ldeller@xplantechnology.com> helped fix this. Jeremy. (This used to be commit 9d2f2385ad68cbe11bdfb82b5f2d016626f6e679)
2007-10-10r11551: Add a few more initialize_krb5_error_tableVolker Lendecke1-0/+1
(This used to be commit d92c83aa42fe64a0e996094d1a983f0279c7c707)
2007-10-10r10907: Handle the case when we can't verify the PAC signature because theGünther Deschner1-0/+6
ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu <chengjie.liu@datadomain.com>. Guenther (This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343)
2007-10-10r10671: Attempt to fix the build on machines without kerberos headers.Volker Lendecke1-9/+9
Volker (This used to be commit cb816e65a95802d5172c410d1acda2da070b871d)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-10/+441
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10210: Fix memleak.Günther Deschner1-2/+4
Guenther (This used to be commit 10358d16d7946f6b0c989db8bc26f8840144389b)
2007-10-10r6586: get rid of a few more compiler warningsHerb Lewis1-1/+3
(This used to be commit 173375f8d88bf8e8db8d60e5d5f0e5dcc28767d9)
2007-10-10r6392: - Fixes bug 2564: when smbc_opendir() was called with a file rather thanDerrell Lipman1-2/+2
a directory, the errno returned could end up as ENOENT rather than ENOTDIR. - Fixes some compiler warnings which showed up on IRIX, as reported by James Peach. (This used to be commit 615a62b21f8d2f7f97bde2f166ddd6849d39b95c)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-0/+3
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r4291: More *alloc fixes inspired by Albert Chin (china@thewrittenword.com).Jeremy Allison1-3/+2
Jeremy (This used to be commit efc1b688cf9b1a17f1a6bf46d481280ed8bd0c46)
2007-10-10r4020: Fix for crash reported by Bård Kalbakk <baard@inett.biz>.Jeremy Allison1-1/+1
Don't go fishing for the authorisation data unless we know it's there. Jeremy. (This used to be commit 6f6b4c61e03afb4d35bf6b3ea468fb211d703aa7)
2007-10-10r3538: Fix the build with the latest Heimdal code.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 34275bae787762646f02ea1dec19d7b3a9a733a3)
2007-10-10r3535: Tidy up error reporting. Memory leak with MIT krb5 1.3.5 turnsJeremy Allison1-11/+13
out to be in the kerberos libraries, not in Samba. Now to test with Heimdal. Jeremy (This used to be commit b08e3bf6fb1052285e4efd669d9717d3a617499d)
2007-10-10r3439: Finally fix build for platforms without kerberos.Günther Deschner1-4/+4
Guenther (This used to be commit 05619cfdbf814e5c79e65934b82424eca00c76c4)
2007-10-10r3407: Fix the buildVolker Lendecke1-1/+1
(This used to be commit b144ce557f516f62ab802fbb277799b10153c8fb)
2007-10-10r3379: More merging of kerberos keytab and salting fixes from Nalin ↵Jeremy Allison1-2/+2
Dahyabhai <nalin@redhat.com> (bugid #1717). Jeremy. (This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019)
2007-10-10r3377: Merge in first part of modified patch from Nalin Dahyabhai ↵Jeremy Allison1-9/+38
<nalin@redhat.com> for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
2007-10-10r3345: More MIT/Heimdal tests for comparing enctypes now.Jeremy Allison1-0/+14
Jeremy. (This used to be commit eefb911d0c66bdee586a86446e16723013f84101)
2007-10-10r3342: More MIT/Heimdal fixes to allow an enctype to be explicitly set in a ↵Jeremy Allison1-0/+11
krb5_creds struct. Jeremy. (This used to be commit c9b80490128e09442a01dd8ec6f4b453769e82c1)
2007-10-10r2474: (re-)fix memleak (initially found by jra).Günther Deschner1-6/+0
heimdal 0.6.1rc3 had a bug causing winbindd to die, heimdal version 0.6.1 and higher have that fixed (thanks to Love from Heimdal). SuSE has been informed about this possible pitfall, any other vendors that ship with heimdal-0.6.1rc3 to be notified ? Guenther (This used to be commit 6239a5bec99c62032e0cde20679a71622dd7a059)
2007-10-10r2472: Fixed krb5_krbhost_get_addrinfo()-parameters and make failureGünther Deschner1-3/+3
of this call non-critical. Thanks to Love for the patch and explaining the inner workings of heimdal. Guenther (This used to be commit 4bd9d8240b571fdd8546af4eea3f4f148987d57c)
2007-10-10r2057: Although rarely used, prevent "net lookup kdc" from segfaulting whenGünther Deschner1-1/+11
using our own implementation of krb5_lookup_kdc with heimdal. Also, heimdals krb5_krbhst_next() obviously does not retrieve the struct addrinfo in the krb5_krbhst_info-struct, using krb5_krbhst_get_addrinfo() instead. Guenther (This used to be commit cca660e109cc94b49ac6bf1f2802235d1d4d4383)
2007-10-10r1428: Remove *completly bogus* memset. (No doubt my bug, too...).Andrew Bartlett1-2/+0
This memset could well have clobbered bits of the stack, because session_key changed from char session_key[16]; to DATA_BLOB session_key Andrew Bartlett (This used to be commit 54248a405c9459f93f4200ebb0dc71748ae2fc83)
2007-10-10r1407: revert change that broke the build on systems w/o krb5 filesGerald Carter1-1/+1
(This used to be commit 89a11b5d7c0939c9344115ef509cbb0567d7524a)
2007-10-10r1399: applying heimdal krb5 fixes from Guenther and fixing compile warnings ↵Gerald Carter1-1/+3
in libadskerberos_keyatb.c (This used to be commit 837f56ec8bc171497fb84d332002776313c26305)
2007-10-10r1287: Attempt to fix the build for systems without kerberos headers.Volker Lendecke1-3/+3
Volker (This used to be commit 43020cf459da24a915a39b770cec95a524d487c7)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison1-0/+11
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1222: Valgrind memory leak fixes. Still tracking down a strange one...Jeremy Allison1-3/+4
Can't fix the krb5 memory leaks inside that library :-(. Jeremy. (This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
2007-10-10r1194: Definition of krb5_free_unparsed_name() if we do't have it.Jeremy Allison1-0/+7
Jeremy. (This used to be commit 82c219ea023dd546fcde29569725865a42e4198e)
2007-10-10r541: fixing segfault in winbindd caused -r527 -- looks like a bug in ↵Gerald Carter1-1/+4
heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
2007-10-10r527: More memory leak fixes in error paths from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-2/+8
Jeremy. (This used to be commit b2ba4d5c1be6089e3818a20c68e3894432b53d87)
2007-10-10r221: Remainder of bug 1208. We do not remove creds from _any_ FILE ccache,Jim McDonough1-17/+40
because not only does it not work on Heimdal, but also since ccaches created within samba are memory-based, so we shouldn't touch a FILE-based one (it was probably created via kinit or similar). (This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459)
2007-10-10r219: Obtain new tickets if current ones are expired. Next part of fix forJim McDonough1-12/+36
bug 1208. Based on a fix from Guether Deschener. Outstanding pieces: - Heimdal FILE-based ccaches don't actually remove creds properly, so we need to code a check for this - what if ticket expires between our check and when we use it? Guenther has coded up fixes for these parts, but I still need to review them, as I'm not totally comfortable with the solutions. (This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-11/+13
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-8/+8
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-15Fix memleaks.Volker Lendecke1-1/+3
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis1-1/+1
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-14Change Samba to always use extended security for it's guest logins, (ie,Andrew Bartlett1-7/+5
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
2003-08-04Fix unused variable warning.Tim Potter1-1/+1
(This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-8/+15
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)