Age | Commit message (Collapse) | Author | Files | Lines |
|
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.
For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:
password server = ncacn_np:mypdc
Andrew Bartlett
(This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
|
|
command line processing system.
This is a little ugly at the moment, but works. What I cannot manage
to get to work is the extraction and propogation of command line
credentials into the js interface to ldb.
Andrew Bartlett
(This used to be commit f34ede763e7f80507d06224d114cf6b5ac7c8f7d)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list. An
extension to the credentials system allows this function.
Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.
Andrew Bartlett
(This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
|
|
metze
(This used to be commit c60bac5baa572a597ce6e1c2e3639be4c7daeefc)
|
|
attach a restriction on available GENSEC mechanisms.
Andrew Bartlett
(This used to be commit 8154f2421f828be65ee89f21ed7ac0f5e2132ca9)
|
|
GENSEC mechansims. This will allow a machine join to an NT4 domain to
avoid even trying kerberos, or a sensitive operation to require it.
Andrew Bartlett
(This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
(This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
|
|
(thanks metze).
Andrew Bartlett
(This used to be commit 848831a1559d6569359bd6fb4993ccbef6ad86d8)
|
|
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
(This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
|
|
Andrew Bartlett
(This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
|
|
(This used to be commit 204185576c6a4df5e43e5a97cb13227407c09e6e)
|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
credentials. This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.
Needed for kpasswdd work.
Andrew Bartlett
(This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
|
|
Andrew Bartlett
(This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
|
|
secureChannelType (non machine join records).
Andrew Bartlett
(This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
metze
(This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76)
|
|
previous patch.
Andrew Bartlett
(This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)
|
|
authentication out of the various callers and into the kitchen
sink.. err, credentials subsystem.
This should ensure consistant logic, as well as get us one step closer
to security=server operation in future.
Andrew Bartlett
(This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
|
|
Andrew Bartlett
(This used to be commit 51a0275a0e7ffc940f2403f3c74a00b3936a07f4)
|
|
auth/
Andrew Bartlett
(This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6)
|