summaryrefslogtreecommitdiff
path: root/source4/auth/credentials/credentials_files.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14977: more IBM checker fixesAndrew Tridgell1-0/+1
(This used to be commit cd106509b664e9ca53419a62550b256b7e5bde3c)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-1/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14363: Remove credentials.h from the global includes.Jelmer Vernooij1-0/+1
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+1
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-19/+10
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett1-2/+2
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-6/+33
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-4/+88
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett1-0/+3
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-4/+9
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11209: We can't read the priorSecret unless we ask for it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
2007-10-10r11204: Allow us to read credentials from secrets.ldb without aAndrew Bartlett1-6/+2
secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-4/+53
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10596: Move the credentials code into it's own subsystem, and push it under ↵Andrew Bartlett1-0/+293
auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)