Age | Commit message (Collapse) | Author | Files | Lines |
|
lifetime constraints, and works with the in-memory keytab.
Move initialize_krb5_error_table() into our kerberos startup code,
rather than in the GSSAPI code explitly. (Hmm, we probably don't need
this at all..)
Andrew Bartlett
(This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
|
|
support in Heimdal.
This removes the 'ext_keytab' step from my Samba4/WinXP client howto.
In doing this work, I realised that the replay cache in Heimdal is
currently a no-op, so I have removed the calls to it, and therefore
the mutex calls from passdb/secrets.c.
This patch also includes a replacement 'magic' mechanism detection,
that does not issue extra error messages from deep inside the GSSAPI
code.
Andrew Bartlett
(This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
- if you want kerberos now, you need to unpack a lorikeet heimdal
tree in source/heimdal/. If source/heimdal/ does not exist at
configure time then all kerberos features are disabled. You cannot
use an external kerberos library for now. That may change later.
- moved lib/replace/ config stuff to lib/replace/ and create a
lib/replace/replace.h. That allows the heimdal build to use our
portability layer, and prevenets duplicate definitions of functions
like strlcat()
- if you do enable heimdal, then you will need to do 'make
HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once
I explain the problem to jelmer (the problem is the inability to
set a depend without also dragging in the object list of the
dependency. We need this for building the heimdal asn1 compiler and
et compiler.
- disabled all of the m4 checks for external kerberos libraries. I
left them in place in auth/kerberos/, but disabled it in
configure.in
some of the heimdal_build/ code is still very rough, for example I
don't correctly detect the correct awk, flex, bison replacements for
heimdal_build/build_external.sh. I expect to fix that stuff up over
the next few days.
(This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
|
|
fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).
To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.
This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.
Andrew Bartlett
(This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
|
|
Andrew Bartlett
(This used to be commit 35877387c8e345d30d7598d1a139067a26cc1f7f)
|
|
Andrew Bartlett
(This used to be commit 1f68cf7d0eb5de18da7f9d14c729caf314740601)
|
|
Heimdal.
Andrew Bartlett
(This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
|
|
Make the build system give a proper warning about this in the future
(This used to be commit 2d980465af87d25ce17b8340c6b5f662ef29edd3)
|
|
config.mk and config.m4 to be consistent with the rest of Samba.
(This used to be commit f377c71e4f0d60684326906dfb65e4581294ec34)
|
|
(This used to be commit a02e07739781eb00b521d050ab06d6b0aedf47bc)
|
|
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.
Andrew Bartlett
(This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
|
|
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
|
|
features merged back into gensec_gssapi.
(Removed because I've made some API changes, and it isn't worth
'fixing' the rudundent code to cope with changes)
Andrew Bartlett
(This used to be commit e8cf3d58ec956e41fc8d3e38363db3d5d838fe1d)
|
|
back to the other options.
Andrew Bartlett
(This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
|
|
(This used to be commit 45a0692be10a03032f9a4e26da3de08696c03464)
|
|
(This used to be commit 6d15e9511115cc30ee213ec91320a2dccde15b8f)
|
|
Andrew Bartlett
(This used to be commit 77d054c65aeecfc0d1156d750f7b8025cb154d3a)
|
|
metze
(This used to be commit 3536029e8fb1da1ca689e0b7aa1f3edfb7967790)
|
|
metze
(This used to be commit 491d7804f5f5bdfb43ae09b81c2cbc34fab2246d)
|
|
Andrew Bartlett
(This used to be commit 400899995b2c2ed54a114f8f55e5fb36592298b9)
|
|
must register the 'MS' OID for the domain join to progress.
Andrew Bartlett
(This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
|
|
This patch allows a suitably patched Heimdal GSSAPI library (detected
in configure) to supply to us the session keys, and further compleats
the gensec_gssapi module. This is tested for CIFS, but fails for LDAP
at this point (that is what I'll work on next).
We currently fill out the 'session info' from the SAM, like
gensec_krb5 does, but both will need to use the PAC extraction
functions in the near future.
Andrew Bartlett
(This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
|
|
a different
order than a strict request - reply sequence
Note: we should also fix the client code...
metze
(This used to be commit 0a61d1f65150546f7a7582512ca010d156f963bf)
|
|
metze
(This used to be commit 9d86314c44ae8e1ec21653b21cc267bfac573445)
|
|
no longer done globally.
This keeps MIT client libraries happy, because otherwise the windows
KDC will return a different case to what was requested.
Andrew Bartlett
(This used to be commit 9098b9321f938473c367f906cfe2f001ca1d8e6a)
|
|
(This used to be commit 250f1f69dd719a7981ec4c1698942b31826888d2)
|
|
is required after updating to this version).
(This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
|
|
client and server logic code. In future, this may allow us to build
only the NTLMSSP client, and not the server, but in the short-term, it
allows me greater sainity in moving around these files.
Andrew Bartlett
(This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
|
|
talloc() now).
Andrew Bartlett
(This used to be commit fc3e3653ebc3accf94f9264d2bbfe1cb71b017d0)
|
|
The aim here is to remove the extra layer of abstraction, and to then
use the credentials code directly in the NTLMSSP layer.
Andrew Bartlett
(This used to be commit b14c530dfd3e56975dea7e30aa8d62d4f2827700)
|
|
error cases.
Andrew Bartlett
(This used to be commit 24f98f32aae3b8c45283715b27fa67b1d2e5c0f2)
|
|
some ldif
- init the schannel.ldb with some CASE_INSENSITIVE attributes
(This used to be commit e6376b24303dc513e15c7e640c8c1c8d8ca11091)
|
|
(This used to be commit 9c45f8d7bc21a4426091ea03f9f0681d7dad3edd)
|
|
metze
(This used to be commit 80593150341852af0816e69bd653c93228862e9b)
|
|
auth/gensec and auth/kerberos.
This also pulls the kerberos configure code out of libads (which is
otherwise dead), and into auth/kerberos/kerberos.m4
Andrew Bartlett
(This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
|