summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos/kerberos.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-3/+6
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r9681: We don't need the full smb_krb5_context here, so just pass the ↵Andrew Bartlett1-2/+2
krb5_context. Andrew Bartlett (This used to be commit 47699019dbb7aa48e7acd6bf8364e40917db8410)
2007-10-10r9648: this fixes the krb5 based login with the pac. The key to this whole ↵Andrew Tridgell1-0/+1
saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. (This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett1-5/+17
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r8460: removed the unused function krb5_locate_kdc(). It causes a build ↵Andrew Tridgell1-1/+0
failure on irix. Andrew, if you planned on using this in the future then we can put it back and work out how to make it portable (This used to be commit eaa74913fedefbf33f7cfab6648bf05aa3cdbbb3)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett1-1/+2
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-1/+1
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett1-1/+3
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-1/+6
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7978: A start again on PAC verification. I have noticed that the kerberosAndrew Bartlett1-0/+8
keys appear at the end of the PAC, which I feel is deliberate (it makes this much easier). I still can't make it work, but I'm sure we are closer. Andrew Bartlett (This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-1/+9
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7509: With the update to Heimdal 20050612 we no longer need krb5_freelog(),Andrew Bartlett1-1/+1
as krb5_closelog() no longer leaks memory. Andrew Bartlett (This used to be commit b0bf8a4a5f04b65655f4005b27c80eb098039720)
2007-10-10r7306: Use a consistant #define for detecting support for the Heimdal krb5Andrew Bartlett1-3/+3
log redirection code. Andrew Bartlett (This used to be commit 93335d587d9f48c46d9c3b91237f649693cf3003)
2007-10-10r7285: It appears that MIT Kerberos does not have the log redirectionAndrew Bartlett1-0/+8
facility that I'm using. This should let us compile the non-KDC components on MIT again. Andrew Bartlett (This used to be commit ae9c2d2b54a979ab8467c847b62dd2c2a0fa059f)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett1-4/+12
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett1-0/+5
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett1-0/+99
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)