| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
|
|
Andrew Bartlett
(This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
|
|
reasonable value to fill in for the mechListMIC.
Andrew Bartlett
(This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
|
|
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
|
|
http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
|
|
main gensec_krb5_start and always ask for sequence numbers.
Andrew Bartlett
(This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
header.
Andrew Bartlett
(This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
|
|
the client doesn't guess correctly on the mech to use. It must back
off and try the mech the server selected from the list.
I'm not particularly attached to our SPNEGO parser, so while I can't
easily use the SPNEGO application logic in Heimdal, I'm going to look
closely at using the asn1 routines to avoid some pain here.
Andrew Bartlett
(This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
|
|
most of the changes are fixes to make all the ldb code compile without
warnings on gcc4. Unfortunately That required a lot of casts :-(
I have also added the start of an 'operational' module, which will
replace the timestamp module, plus add support for some other
operational attributes
In ldb_msg_*() I added some new utility functions to make the
operational module sane, and remove the 'ldb' argument from the
ldb_msg_add_*() functions. That argument was only needed back in the
early days of ldb when we didn't use the hierarchical talloc and thus
needed a place to get the allocation function from. Now its just a
pain to pass around everywhere.
Also added a ldb_debug_set() function that calls ldb_debug() plus sets
the result using ldb_set_errstring(). That saves on some awkward
coding in a few places.
(This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
|
|
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)
|
|
Andrew Bartlett
(This used to be commit 6021fa373405f8788dc216aae82a3f4a80df4ba7)
|
|
schannel connections.
Test for Win2k3 SP1 behaviour in RPC-SCHANNEL.
Andrew Bartlett
(This used to be commit 1c3911374ec65e4770c2fe9109d7b7d3ecd99f6a)
|
|
then StaticLibrary()
(This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
|
|
This disables it for 'localhost' as well as for any host our KDC does
not recognise.
Andrew Bartlett
(This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
|
|
(This used to be commit 6df956edbab7ad5e72b2f20e74ab0f0d62528932)
|
|
that are then included by include/proto.h
(This used to be commit 703ffbaaaca11f3d8781cfe9e7542fcaa626d991)
|
|
Andrew Bartlett
(This used to be commit 1f726906c488355733dc1a3a89c53e194c192e68)
|
|
(This used to be commit 1b675a1bdfa7e50e1b418ae41479f1bebc445064)
|
|
safe) as it is removed on smbd restart
(This used to be commit 0951db6a89d15792ee1ea6b9f37c45486958ad57)
|
|
use raw krb5, not GSSAPI. I still keep the 'fake GSSAPI' code, but
under the module name 'fake_gssapi_krb5'.
Andrew Bartlett
(This used to be commit 99efec2758ad6c996db65dd42cb72a81077c9b2b)
|
|
-Udomain\\user.
This will probably break in a few configurations, so please let me
know. I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.
Andrew Bartlett
(This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)
|
|
but final linking still fails (as does generating files asn1, et, idl and proto
files)
(This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
|
|
Samba to use the target principal name supplied in the mechTokenMIC of
an SPNEGO negTokenInit.
This isn't a great idea for security reasons, but is how Samba3 behaves,
and allows kerberos to function more often in some environments. It is
only available for CIFS session setups, due to the ordering of the
exchange.
Andrew Bartlett
(This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
|
|
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
|
|
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
|
|
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)
This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.
This patch also tries to simplify some principal handling and fixes some
error cases.
Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.
Andrew Bartlett
(This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
|
|
Andrew Bartlett
(This used to be commit b50e546eb4d5d9171d4ae5e9c9bebd8c7c878bd8)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
krb5_context.
Andrew Bartlett
(This used to be commit 47699019dbb7aa48e7acd6bf8364e40917db8410)
|
|
metze
(This used to be commit 995b805e046e6e25544487667d928187e13614d6)
|
|
processing the state.
Andrew Bartlett
(This used to be commit c3a8080a189e084c5774bdd1a9f3ea62daed715e)
|
|
Andrew Bartlett
(This used to be commit 66cdd4dbd7f4024b49bcc9fe1c7ff2a0de7e82e8)
|
|
- Fix mixing of code and data
- send mechListMic again in SPENGO server
- only send optomistic first packet in the client.
(This used to be commit 9941da8081ef5a669b0946265860d2f20d3718d3)
|
|
into Samba3.
The NTLMSSP sign/seal code now assumes that GENSEC has already checked
to see if SIGN or SEAL should be permitted. This simplfies the code
ensures that no matter what the mech, the correct code paths have been
set in place.
Also remove duplication caused by the NTLMv2 code's history, and
document why some of the things a bit funny.
In SPNEGO, create a new routine to handle the negTokenInit creation.
We no longer send an OID for a mech we can't start (like kerberos on
the server without a valid trust account).
Andrew Bartlett
(This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
|
|
caused me pain (and covourty warnings).
Simply gensec_gssapi to assume the properties of lorikeet-heimdal,
rather than having #ifdef around critical features. This simplifies
the code rather a lot.
Andrew Bartlett
(This used to be commit 11156f556db678c3d325fe5ced5e41a76ed6a3f1)
|
|
NTLMSSP, unless we are in datagram mode (not fully implemented yet).
Andrew Bartlett
(This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)
|
|
distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
|
|
replace this with something funkier.
(This used to be commit 8d376d56c78894b9bbd27ed7fa70da415c0cd038)
|
|
error to non-error case.
Andrew Bartlett
(This used to be commit ab75cd53e7c65fa6242b8dde3bfede735a6b36d5)
|
|
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.
This involved returning more data from the pac functions, so changed
some callers and split up some functions.
Andrew Bartlett
(This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
|
|
(This used to be commit 2134ca475586ed9e062fbf4ef7222fe286c60c57)
|
|
Andrew Bartlett
(This used to be commit d7136c93fb7ddf27d914329a7c9fd77de22d4356)
|
|
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
|
|
(This used to be commit 126cb3db4b0cf9c382ba7496ba08311f3b669f00)
|
|
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
|
|
I forgot to update the users)
Andrew Bartlett
(This used to be commit 44b86b7e6570e31ab07ce12593fb8834325c52c8)
|
|
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
|
|
This won't actually work until I get the keyblock filled in again, but
at least it will compile.
I first need to decide if we want to keep the server-side gensec_krb5
code at all, now we have the GSSAPI layer doing what we want.
Andrew Bartlett
(This used to be commit 28e49de9293002ee89f0666144c9028daefdde88)
|
