summaryrefslogtreecommitdiff
path: root/source4/auth/credentials/credentials_files.c
AgeCommit message (Collapse)AuthorFilesLines
2008-04-05Extend credentials python API to include set_machine_account.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 88b7a3980c7be90ea0099a3ecf08ad00fa89ea1a)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-7/+7
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-6/+10
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26272: Remove global_loadparm in some more places.Jelmer Vernooij1-2/+3
(This used to be commit 1ab76ecc5311fa863e5d04899b6f110899818f55)
2007-12-21r26271: Remove some more uses of global_loadparm.Jelmer Vernooij1-4/+6
(This used to be commit e9875fcd56de0748ed78d7e3c9cdb4919cd96d3c)
2007-12-21r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij1-5/+6
global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
2007-12-21r26205: Pass loadparm_context to secrets_db_connect() rather than using ↵Jelmer Vernooij1-1/+1
global context. (This used to be commit 5718b6cfee86ddfc9cf405c98c68ba848df4d9d7)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-10-10r25552: Convert to standard bool type.Jelmer Vernooij1-16/+16
(This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-10r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij1-1/+1
2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r24730: Allow secrets entries to be for service principals.Andrew Bartlett1-6/+11
Andrew Bartlett (This used to be commit 7865d10a299a84ed42de4435b7e6400d56161ac5)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r21736: Fix the smbclient test to do something more interesting with the lastAndrew Bartlett1-1/+1
few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa)
2007-10-10r21362: rename:Stefan Metzmacher1-2/+2
"ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
2007-10-10r21314: add more usefull debug outputStefan Metzmacher1-6/+6
metze (This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a)
2007-10-10r21135: Instead of having hooks to update keytabs as an explicit thing, updateAndrew Bartlett1-73/+12
them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-1/+1
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+1
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19573: Move secrets.o into param/ (subsystems haven't been integrated yet).Jelmer Vernooij1-1/+1
(This used to be commit 8143de855c0b65346b2d8e59ecdb78952927de4a)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-10/+10
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r14977: more IBM checker fixesAndrew Tridgell1-0/+1
(This used to be commit cd106509b664e9ca53419a62550b256b7e5bde3c)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-1/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14363: Remove credentials.h from the global includes.Jelmer Vernooij1-0/+1
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+1
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-19/+10
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett1-2/+2
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-6/+33
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-4/+88
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett1-0/+3
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-4/+9
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11209: We can't read the priorSecret unless we ask for it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
2007-10-10r11204: Allow us to read credentials from secrets.ldb without aAndrew Bartlett1-6/+2
secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-4/+53
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10596: Move the credentials code into it's own subsystem, and push it under ↵Andrew Bartlett1-0/+293
auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)