summaryrefslogtreecommitdiff
path: root/source3/libsmb/clikrb5.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r3379: More merging of kerberos keytab and salting fixes from Nalin ↵Jeremy Allison1-2/+2
Dahyabhai <nalin@redhat.com> (bugid #1717). Jeremy. (This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019)
2007-10-10r3377: Merge in first part of modified patch from Nalin Dahyabhai ↵Jeremy Allison1-9/+38
<nalin@redhat.com> for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
2007-10-10r3345: More MIT/Heimdal tests for comparing enctypes now.Jeremy Allison1-0/+14
Jeremy. (This used to be commit eefb911d0c66bdee586a86446e16723013f84101)
2007-10-10r3342: More MIT/Heimdal fixes to allow an enctype to be explicitly set in a ↵Jeremy Allison1-0/+11
krb5_creds struct. Jeremy. (This used to be commit c9b80490128e09442a01dd8ec6f4b453769e82c1)
2007-10-10r2474: (re-)fix memleak (initially found by jra).Günther Deschner1-6/+0
heimdal 0.6.1rc3 had a bug causing winbindd to die, heimdal version 0.6.1 and higher have that fixed (thanks to Love from Heimdal). SuSE has been informed about this possible pitfall, any other vendors that ship with heimdal-0.6.1rc3 to be notified ? Guenther (This used to be commit 6239a5bec99c62032e0cde20679a71622dd7a059)
2007-10-10r2472: Fixed krb5_krbhost_get_addrinfo()-parameters and make failureGünther Deschner1-3/+3
of this call non-critical. Thanks to Love for the patch and explaining the inner workings of heimdal. Guenther (This used to be commit 4bd9d8240b571fdd8546af4eea3f4f148987d57c)
2007-10-10r2057: Although rarely used, prevent "net lookup kdc" from segfaulting whenGünther Deschner1-1/+11
using our own implementation of krb5_lookup_kdc with heimdal. Also, heimdals krb5_krbhst_next() obviously does not retrieve the struct addrinfo in the krb5_krbhst_info-struct, using krb5_krbhst_get_addrinfo() instead. Guenther (This used to be commit cca660e109cc94b49ac6bf1f2802235d1d4d4383)
2007-10-10r1428: Remove *completly bogus* memset. (No doubt my bug, too...).Andrew Bartlett1-2/+0
This memset could well have clobbered bits of the stack, because session_key changed from char session_key[16]; to DATA_BLOB session_key Andrew Bartlett (This used to be commit 54248a405c9459f93f4200ebb0dc71748ae2fc83)
2007-10-10r1407: revert change that broke the build on systems w/o krb5 filesGerald Carter1-1/+1
(This used to be commit 89a11b5d7c0939c9344115ef509cbb0567d7524a)
2007-10-10r1399: applying heimdal krb5 fixes from Guenther and fixing compile warnings ↵Gerald Carter1-1/+3
in libadskerberos_keyatb.c (This used to be commit 837f56ec8bc171497fb84d332002776313c26305)
2007-10-10r1287: Attempt to fix the build for systems without kerberos headers.Volker Lendecke1-3/+3
Volker (This used to be commit 43020cf459da24a915a39b770cec95a524d487c7)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison1-0/+11
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1222: Valgrind memory leak fixes. Still tracking down a strange one...Jeremy Allison1-3/+4
Can't fix the krb5 memory leaks inside that library :-(. Jeremy. (This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
2007-10-10r1194: Definition of krb5_free_unparsed_name() if we do't have it.Jeremy Allison1-0/+7
Jeremy. (This used to be commit 82c219ea023dd546fcde29569725865a42e4198e)
2007-10-10r541: fixing segfault in winbindd caused -r527 -- looks like a bug in ↵Gerald Carter1-1/+4
heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
2007-10-10r527: More memory leak fixes in error paths from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-2/+8
Jeremy. (This used to be commit b2ba4d5c1be6089e3818a20c68e3894432b53d87)
2007-10-10r221: Remainder of bug 1208. We do not remove creds from _any_ FILE ccache,Jim McDonough1-17/+40
because not only does it not work on Heimdal, but also since ccaches created within samba are memory-based, so we shouldn't touch a FILE-based one (it was probably created via kinit or similar). (This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459)
2007-10-10r219: Obtain new tickets if current ones are expired. Next part of fix forJim McDonough1-12/+36
bug 1208. Based on a fix from Guether Deschener. Outstanding pieces: - Heimdal FILE-based ccaches don't actually remove creds properly, so we need to code a check for this - what if ticket expires between our check and when we use it? Guenther has coded up fixes for these parts, but I still need to review them, as I'm not totally comfortable with the solutions. (This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-11/+13
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-8/+8
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-15Fix memleaks.Volker Lendecke1-1/+3
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis1-1/+1
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-14Change Samba to always use extended security for it's guest logins, (ie,Andrew Bartlett1-7/+5
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
2003-08-04Fix unused variable warning.Tim Potter1-1/+1
(This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-8/+15
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-16Add krb5_princ_component to Heimdal. Remove cli_ from mark packet signed.Jeremy Allison1-0/+13
Jeremy. (This used to be commit dd46f8b22d6e8411081a1279e1cd32929e40370b)
2003-06-10use ZERO_STRUCT() instead of memsetAndrew Tridgell1-1/+1
(This used to be commit 082084042307f5f7d532b28debdeac11753a05f9)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-14/+14
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-03-17Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard'sAndrew Bartlett1-9/+43
session key and auth verifier patches. Andrew Bartlett (This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
2003-02-21Fix IRIX build...void fn can't return another void fnJim McDonough1-1/+2
(This used to be commit e0c1f9ef61a0ec4f06a0b0e257497943195b5297)
2003-02-19Sync with HEAD for verifying kerberos tickets.Jim McDonough1-4/+33
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
2003-02-18Sync w/HEAD - add DES_CBC_CRC encryption typeJim McDonough1-1/+1
(This used to be commit c7934f5cb56d54a90c9ffdbe2f7429a3c9227abe)
2003-01-30Revert tpot's breakage of the Heimdal fixes.Jeremy Allison1-0/+122
Jeremy. (This used to be commit 90336900ad2a6d50e1d42f7bc59fdc7c762187d3)
2003-01-30Sync of Heimdal kerberos stuff with HEAD. If this breaks I'm blamingTim Potter1-122/+0
the dog again. (This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
2003-01-28Finally we compile with Heimdal as well as MIT ! Wonder if it works... :-).Jeremy Allison1-0/+52
Jeremy. (This used to be commit 1b71786c161cd8ec4c3c0c6b178370ed50feeef4)
2003-01-28Get smbd to link with Heimdal. Still missing some client progs...Jeremy Allison1-0/+22
Jeremy. (This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
2003-01-23Thanks Meeester Potter, for reverting *all* my Heimdal changes becauseJeremy Allison1-0/+48
I mistyped a comma :-). Jeremy. (This used to be commit 04cc149c756c396012cfa321a74724b077302b95)
2003-01-22Merge of kerberos changes to make this branch build again!Tim Potter1-48/+0
(This used to be commit 51b319f57f28e3993919d7f3db0251a724902332)
2003-01-21Get closer to Heimdal compile... Damn. HEAD has different code inJeremy Allison1-0/+48
kerberos_verify... Jeremy. (This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458)
2003-01-21Fixup proto generation to not include krb5 specific symbolsJeremy Allison1-5/+5
if no kerberos selected. Noticed by Metze. Jeremy. (This used to be commit 0c98f779f05431ac4d298c9f021fca85d16aebae)
2003-01-21More fixes getting us closer to full Heimdal compile....Jeremy Allison1-0/+20
Jeremy. (This used to be commit a7ee6ed64500a0d949849da6996b7dc837518f00)
2003-01-20should be HAVE_KRB5_SET_REAL_TIME (HAVE_ was missing)...fix the buildJim McDonough1-1/+1
(This used to be commit 9f1f3cb8bb3d7d9b4fb414b06ad10356f775bb28)
2003-01-19Merge in more of the SuSE patches for Heimdal. These changes show howJeremy Allison1-0/+29
to add a function without an explicit #ifdef HEIMDAL which I'm trying to avoid. Jeremy. (This used to be commit 92ecd0bf0fe2cc4f6c86ca48e6e458e726470a50)
2003-01-04Merge from HEAD - vl's fix to my const patch. Also update the 'not have_krb5'Andrew Bartlett1-1/+1
case. Andrew Bartlett (This used to be commit 8129529c4faec5ea630acf70b7514a3efc0fbdcf)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett1-1/+1
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2002-11-15fix segfaultGerald Carter1-1/+3
(This used to be commit 36bcb312e95f46d196575ed3535679deeddd89b0)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-3/+20
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-2/+2
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-11-28fixed some krb5 ifdefsAndrew Tridgell1-1/+1
(This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe)