summaryrefslogtreecommitdiff
path: root/source4/auth/credentials/credentials_krb5.c
AgeCommit message (Collapse)AuthorFilesLines
2010-09-24s4-kerberos Move 'set key into keytab' code out of credentials.Andrew Bartlett1-55/+1
This code never really belonged in the credentials layer, and is easier done with direct access to the ldb_message that is in secrets.ldb. Andrew Bartlett
2010-08-27s4:credentials_krb5.c - quiet a Solaris warningMatthias Dieter Wallnöfer1-1/+2
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-6/+6
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-14s4:credentials Allow setting of an empty Kerberos CCACHEAndrew Bartlett1-18/+12
This allows us to tell the credentials code where we want the credentials put. Andrew Bartlett
2010-05-02s4:credentials Make the CCACHE in credentials depend on the things that built itAndrew Bartlett1-18/+57
This means that we consider the ccache only as reliable as the least specified of the inputs we used. This means that we will regenerate the ccache if any of the inputs change. Andrew Bartlett
2010-04-27s4:kerberos Give a better error message than "Could not allocate memory"Andrew Bartlett1-3/+3
Andrew Bartlett
2010-04-10s4:credentials Add the functions needed to do S4U2Self with cli_credentialsAndrew Bartlett1-0/+38
A torture test to demonstrate will be added soon. Andrew Bartlett
2010-04-10s4:credentials talloc_free() any previous salt_principalAndrew Bartlett1-0/+1
This isn't used often, but it is generally better not to leak it onto what may be a longer-term context. Andrew Bartlett
2010-02-26s4-krb5: propogate errors from a lot more kerberos functionsAndrew Tridgell1-45/+70
We need to be able to give sensible error messages when a kerberos calls fails. This propogates the kerberos error up the stack to the caller. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-20s4:credentials Add hooks to extract a named Kerberos credentials cacheAndrew Bartlett1-18/+38
This allows the integration of external tools that can't be linked into C or python, but need to authenticate as the local machine account. The machineaccountccache script demonstrates this, and debugging has been improved in cli_credentials_set_secrets() by passing back and error string. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett1-3/+0
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-10/+10
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-07-28auth/credentials: explain why we need to the enctypes for the gssapi layerStefan Metzmacher1-1/+11
metze (This used to be commit 88970c4d4192635544cf63e79e929e9bb05ecb5f)
2008-07-26auth/credentials: use the same enctypes when getting a TGT and a TGSStefan Metzmacher1-0/+23
metze (This used to be commit 9fc5750156467f579ea8d7755987d091f5b579c2)
2008-06-27credentials: gss_set_cred_option() doesn't like GSS_C_NO_BUFFERStefan Metzmacher1-1/+4
metze (This used to be commit 31cf1a781efce932d0574d7840979fcd0a07ec08)
2008-06-27credentials: gss_set_cred_option() needs gss_cred_id_t * argument, not ↵Michael Adam1-1/+1
gss_cred_id_t. This call was added in f573c1ff4443f3002c310d3ba29d8c343ad03907. Metze, please check! Michael (This used to be commit 2b40fd7e950a7f06d2c589eadc0f604a4c65e325)
2008-06-19credentials: set GSS_KRB5_CRED_NO_CI_FLAGS_X to avoid GSS_C_CONF_FLAG and ↵Stefan Metzmacher1-6/+21
GSS_C_INTEG_FLAG metze (This used to be commit f573c1ff4443f3002c310d3ba29d8c343ad03907)
2008-04-17Remove event context tracking from the credentials struct.Jelmer Vernooij1-13/+22
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-13/+14
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-03-17Don't require users of credentials.h to have krb5.h and gssapi.hAndrew Bartlett1-4/+4
Rather than require users of Samba4's headers to have krb5-devel installed (presumably in their system paths), don't expose the minor functions which require this by default. Andrew Bartlett (This used to be commit f14737e4d2040d2f401a3b20c5e78d0d793cfc3a)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-14/+22
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26320: Clean up properly after error.Jelmer Vernooij1-0/+1
(This used to be commit 9fdfe1ad8c7b76e521a683b4afa7b324d15d55b5)
2007-12-21r26274: Some syntax fixes, remove more global_loadparm instances.Jelmer Vernooij1-2/+4
(This used to be commit 3809113d86dbd35b906356a05bb481a1e2bfe4b7)
2007-12-21r26271: Remove some more uses of global_loadparm.Jelmer Vernooij1-3/+6
(This used to be commit e9875fcd56de0748ed78d7e3c9cdb4919cd96d3c)
2007-12-21r26233: Pass loadparm context when creating krb5 contexts.Jelmer Vernooij1-7/+9
(This used to be commit 7780bf285fdfc30f89409d0436bad0d4b6de5cd4)
2007-12-21r26231: Spell check: credentails -> credentials.Jelmer Vernooij1-1/+1
(This used to be commit 4b46888bd0195ab12190f76868719fc018baafd6)
2007-12-21r25703: Use less entropy by using the pointer value as a process-unique token.Andrew Bartlett1-10/+2
Andrew Bartlett (This used to be commit 3480dc71a9f969909b984855d546a1974593368f)
2007-10-10r24282: Try to fix the occasional Samba4 crash in BASE-BENCH-READWRITE, asAndrew Bartlett1-4/+6
seen in particular on opi. This looked like a Heimdal problem, but I think it was simply that we didn't do a talloc_reference() to keep tabs on the memory we were using, and in between obtaining the pointer and using it, it was assigned to unrelated memory. Andrew Bartlett (This used to be commit a650ad8b37d58ba64458a33313714d1abfc4850b)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r23132: Resolve an issue where we would use the ccache after we free()ed it.Andrew Bartlett1-27/+34
The problem was, we would set the ccache, then invalidate it as we set details from it (like the principal name from the ccache). Instead, set the ccache onto the credentials structure after we are done processing it. Andrew Bartlett (This used to be commit d285bd927c604d930fc44cc84ef3321aa4ce9d9a)
2007-10-10r23063: Make sure to invalidate the ccache when we set aAndrew Bartlett1-6/+49
username/password/realm/etc from the command line. Also make sure it can't 'come back' from a later call to cli_credentials_guess(), buy setting a threshold. This should fix the issues with the build farm... Andrew Bartlett (This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1)
2007-10-10r23034: Thanks to metze for providing some vital clues in the 'kerberos ccacheAndrew Bartlett1-2/+6
on credentials don't do anything' bug. The problem was simple, we didn't set the ccache as having been initialised, so we always created a new one. Andrew Bartlett (This used to be commit ec2014f08b0845bc8aa0e8e6713bc4b21f430811)
2007-10-10r22969: fix some more places where we could end up with more than one eventAndrew Tridgell1-1/+2
context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17)
2007-10-10r22558: Move to a static list of enctypes to put into our keytab. In future,Andrew Bartlett1-4/+34
I'll allow this to be configured from the secrets.ldb, but it should fix some user issues. Andrew Bartlett (This used to be commit 0fd74ada220fb07d4ebe8c2d9b8ae50a387c2695)
2007-10-10r22187: Test kerberos logins in the smbclient blackbox tests, including with aAndrew Bartlett1-0/+4
machine account. Andrew Bartlett (This used to be commit 16a2bb87a80ffb921f267492f453eb3457666315)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-3/+5
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r15853: started the process of removing the warnings now thatAndrew Tridgell1-8/+6
talloc_set_destructor() is type safe. The end result will be lots less use of void*, and less calls to talloc_get_type() (This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-0/+14
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett1-20/+7
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-13/+198
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-3/+110
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-0/+9
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-4/+57
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10596: Move the credentials code into it's own subsystem, and push it under ↵Andrew Bartlett1-0/+248
auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)