summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos/kerberos.c
AgeCommit message (Collapse)AuthorFilesLines
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+48
If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
2011-06-22s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher1-4/+130
For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+47
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher1-94/+99
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher1-32/+41
In order to make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher1-24/+76
It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
2011-06-22s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher1-27/+41
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher1-0/+2
metze
2010-09-16s4-kerberos: obey the credentials setting for forwardable ticketsAndrew Tridgell1-23/+4
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-10s4:credentials Add the functions needed to do S4U2Self with cli_credentialsAndrew Bartlett1-13/+66
A torture test to demonstrate will be added soon. Andrew Bartlett
2010-03-16s4:auth/kerberos/kerberos.c - fix also here a memory leakMatthias Dieter Wallnöfer1-0/+1
The options need to be freed also on this error case.
2010-02-26s4-krb5: propogate errors from a lot more kerberos functionsAndrew Tridgell1-2/+2
We need to be able to give sensible error messages when a kerberos calls fails. This propogates the kerberos error up the stack to the caller. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett1-8/+18
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij1-0/+1
remove some unused functions.
2008-09-24Cosmetic corrections for the KERBEROS libraryMatthias Dieter Wallnöfer1-2/+2
This commit applies some cosmetic corrections for the KERBEROS library.
2008-08-01auth/kerberos: remove dependencies to internal heimdalStefan Metzmacher1-1/+0
metze (This used to be commit ed0fc19ac6a1194e6fd9a6534cbf7453fa870066)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-0/+4
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r17774: this macro is unusedStefan Metzmacher1-2/+0
metze (This used to be commit 2f4aa95f8d414262eb4d78060ee3a97a85ec5182)
2007-10-10r15256: Use libroken's getaddrinfo if it is not provided by the system. ShouldJelmer Vernooij1-0/+1
get the build on IRIX a bit further. (This used to be commit 47d1baf0cf719dbb1113a79bba50d4075eb06411)
2007-10-10r12594: Jelmer pushed some proposed header reductions to the list today. ThisAndrew Bartlett1-5/+0
commits some of these that I know to be correct in the kerberos area. Andrew Bartlett (This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
2007-10-10r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.Andrew Bartlett1-27/+1
I'm also worried this might cause loops, if we get a 'force password change', and the prompter tries to 'deal with it'. Andrew Bartlett (This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
2007-10-10r10513: Reduce some use of pstring. The main reason some parts of the code stillJelmer Vernooij1-1/+0
use pstring is next_token() now. (This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3)
2007-10-10r10035: This patch removes the need for the special case hackAndrew Bartlett1-25/+7
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2007-10-10r9415: Remove old kerberos code (including salt guessing code) that has onlyAndrew Bartlett1-672/+0
caused me pain (and covourty warnings). Simply gensec_gssapi to assume the properties of lorikeet-heimdal, rather than having #ifdef around critical features. This simplifies the code rather a lot. Andrew Bartlett (This used to be commit 11156f556db678c3d325fe5ced5e41a76ed6a3f1)
2007-10-10r7989: Allow the use of hashed passwords in the kerberos client and server,Andrew Bartlett1-0/+54
and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2007-10-10r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a fewTim Potter1-0/+1
weeks ago - weird. (This used to be commit 1738761d895461260dcba0dd81630cfa0ec43ae8)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett1-0/+788
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
generated by cgit (git 2.34.1) at 2024-11-08 13:34:19 +0000