summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_krb5.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-1/+1
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11521: Add in client support for checking supportedSASLmechanisms, and thenAndrew Bartlett1-0/+1
determining a mechanism to use. Currently it doesn't to fallbacks like SPNEGO does, but this could be added (to GENSEC, not to here). This also adds a new function to GENSEC, which returns a list of SASL names in our preference order (currently determined by the build system of all things...). Also make the similar function used for OIDs in SPNEGO do the same. This is all a very long-winded way of moving from a hard-coded NTLM to GSS-SPNEGO in our SASL client... Andrew Bartlett (This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
2007-10-10r11400: fix compiler warningsStefan Metzmacher1-1/+1
metze (This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
2007-10-10r11399: Add another case where we need to fallback, if the KDC isn't there.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett1-12/+42
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett1-13/+6
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-2/+1
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett1-27/+26
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11212: Enable sealing of data with raw krb5, consolidate some code into theAndrew Bartlett1-61/+63
main gensec_krb5_start and always ask for sequence numbers. Andrew Bartlett (This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-3/+7
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10565: Try to make Kerberos authentication a bit more friendly.Andrew Bartlett1-2/+5
This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
2007-10-10r10383: This patch is on the road to implementing servers (such as kpasswd) thatAndrew Bartlett1-29/+140
use raw krb5, not GSSAPI. I still keep the 'fake GSSAPI' code, but under the module name 'fake_gssapi_krb5'. Andrew Bartlett (This used to be commit 99efec2758ad6c996db65dd42cb72a81077c9b2b)
2007-10-10r10291: The patch optionally (off by default, not available in all cases) allowsAndrew Bartlett1-12/+36
Samba to use the target principal name supplied in the mechTokenMIC of an SPNEGO negTokenInit. This isn't a great idea for security reasons, but is how Samba3 behaves, and allows kerberos to function more often in some environments. It is only available for CIFS session setups, due to the ordering of the exchange. Andrew Bartlett (This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-58/+76
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-80/+68
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r9681: We don't need the full smb_krb5_context here, so just pass the ↵Andrew Bartlett1-1/+1
krb5_context. Andrew Bartlett (This used to be commit 47699019dbb7aa48e7acd6bf8364e40917db8410)
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett1-3/+3
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-1/+2
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8321: Fix some uninitalized variable warningsVolker Lendecke1-1/+1
(This used to be commit 126cb3db4b0cf9c382ba7496ba08311f3b669f00)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett1-2/+8
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8016: Get the keyblock arguments correct. (the context struct changed, butAndrew Bartlett1-2/+2
I forgot to update the users) Andrew Bartlett (This used to be commit 44b86b7e6570e31ab07ce12593fb8834325c52c8)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-3/+3
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7986: Fix the compile, thanks to HotaruT.Andrew Bartlett1-1/+1
This won't actually work until I get the keyblock filled in again, but at least it will compile. I first need to decide if we want to keep the server-side gensec_krb5 code at all, now we have the GSSAPI layer doing what we want. Andrew Bartlett (This used to be commit 28e49de9293002ee89f0666144c9028daefdde88)
2007-10-10r7968: Pull the PAC from within GSSAPI, rather than only when using our ownAndrew Bartlett1-182/+2
'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-2/+23
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett1-44/+26
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7240: Don't call our fancy error message routines on a null context.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 35877387c8e345d30d7598d1a139067a26cc1f7f)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett1-89/+42
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6700: Upper case realms in kerberos-specific parts of the code, as this isAndrew Bartlett1-1/+6
no longer done globally. This keeps MIT client libraries happy, because otherwise the windows KDC will return a different case to what was requested. Andrew Bartlett (This used to be commit 9098b9321f938473c367f906cfe2f001ca1d8e6a)
2007-10-10r6322: Fix compile warning for struct sockaddr.Tim Potter1-0/+1
(This used to be commit 9c45f8d7bc21a4426091ea03f9f0681d7dad3edd)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett1-0/+751
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)