Age | Commit message (Collapse) | Author | Files | Lines |
|
The idea of this patch is: Don't support a mix of different kerberos
features.
Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
Andrew Bartlett
|
|
Guenther
|
|
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
Guenther
|
|
Server
Correctly calculate the gssapi channel binding checkum.
Jeremy
Signed off by: simo <idra@samba.org>
|
|
|
|
|
|
|
|
|
|
Guenther
|
|
Guenther
|
|
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
|
|
Heimdal changed the KRB5_DEPRECATED define (which now may not take an identifier
for activation) in new releases (like 1.3.1).
Guenther
|
|
Guenther
|
|
Guenther
|
|
This reverts commit 17ef153b68795fec681f9ce17c198236aba2b1c2.
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
impersonation.
Guenther
|
|
Guenther
|
|
Karmic has MIT krb5 1.7-beta3, which has the symbol
krb5_auth_con_set_req_cksumtype but no prototype for it.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531635
|
|
so we at least know when we're using a long-lived context.
Jeremy.
|
|
Both functions exist in MIT Kerberos >= 1.7, but only
krb5_free_keytab_entry_contents has a prototype.
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
<gmachin@sandia.gov>.
Jeremy.
|
|
|
|
Guenther
|
|
Guenther
|
|
|
|
Jeremy.
(This used to be commit a59bd0e4854117a8646f4d388a0f7285362d5ba2)
|
|
Jeremy, please check!
(This used to be commit 6579005e6490f1a99b3860627ba51decaeb864bd)
|
|
Guenther
(This used to be commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22)
|
|
Guenther
(This used to be commit c28fa17ffffee3e6fd4897c9c6b4937388a19600)
|
|
(This used to be commit 16ee95494ba495c5f5ff8779206f380db1067b2d)
|
|
Guenther
(This used to be commit 85021d6a459c957cc276a93c3515029244f52677)
|
|
before we compile the new code.
Jeremy.
(This used to be commit 7686752c5b015b15a6729631ba4aeedd25ebc659)
|
|
krb5_auth_con_set_req_cksumtype().
Jeremy.
(This used to be commit 8598e7b06ec57ca6fcde863270e6bb0e2de9993e)
|
|
work by me and advice by Love.
Jeremy.
(This used to be commit ecc3838e4cb5d0c0769ec6d9a34a877ca584ffcc)
|
|
If the caller wants to create a key with no salt we should
not use krb5_keyblock_init() (only used when using heimdal)
because it does sanity checks on the key length.
metze
(This used to be commit c83de77b750837a110611d7023c4cf71d2d0bab1)
|
|
Jeremy.
(This used to be commit 384052f546af8c1c6848c03cad4f2ba618ba7209)
|
|
Guenther
(This used to be commit c273ce8798062d1b55100411f3e92a01bdbf611c)
|
|
salting them.
Guenther
(This used to be commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5)
|
|
Guenther
(This used to be commit ec86852fc6ce2d88ad5835c8fcb337c68fd6f6bc)
|
|
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
|
|
Guenther
(This used to be commit 3b0135d57e1e70175a5eec49b603a2e5f700c770)
|
|
Guenther
(This used to be commit 507247dcbf0ef02825a6c5c5f313813714df2d99)
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jason,
Jason Haar wrote:
> Patched 3.0.28, compiled, installed and here's the log file.
>
> Hope it helps. BTW I don't think it matters, but this is on 32bit
> CentOS4.5 systems.
yes, it helps. Thanks for that.
Very interesting, there are two auth data structures where the first one
is a PAC and the second something unknown (yet).
Can you please try the attached fix ? It should make it work again.
Guenther
- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHX9ZESOk3aI7hFogRAivSAJ9bMcD+PcsIzjYYLtAUoLNfVVEl1QCfV/Qd
MPsZW4G31VOVu64SPjgnJiI=
=Co+H
-----END PGP SIGNATURE-----
(This used to be commit c9adc07ca2a3bb1e0ea98e3b4f68e1a87e5c0196)
|
|
No more temptations to use static length strings.
Jeremy.
(This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de)
|