Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.
Andrew Bartlett
|
|
|
|
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
|
|
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.
Andrew Bartlett
(This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
|
|
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
|
|
(This used to be commit c5a95bbe0ce55c29e135a9c6058bf192ec3bb546)
|
|
(This used to be commit c863f4ebde8efa1a695b4469142d6719e30bc419)
|
|
library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
|
|
ndr_struct_push_blob().
(This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
|
|
(This used to be commit 2d61e7c96e249d7031b709e9f727626a78e435f1)
|
|
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/
metze
(This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
should _krb5_find_type_in_ad() also take a const?
metze
(This used to be commit addc31bd9309cb2b41cbb548c82c80de1cf96c4f)
|
|
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
|
|
Recursive dependencies are now forbidden (the build system
will bail out if there are any).
I've split up auth_sam.c into auth_sam.c and sam.c. Andrew,
please rename sam.c / move its contents to whatever/wherever you think suits
best.
(This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0)
|
|
rest of LIBSECURITY doesn't)
Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal
Some other dependency fixes
(This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
|
|
Andrew Bartlett
(This used to be commit 2ab71ed51868da123131d8bdaa7c30ab61ae280f)
|
|
commits some of these that I know to be correct in the kerberos area.
Andrew Bartlett
(This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
|
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
we can round-trip all the way back to a server_info structure, not
just a filled in PAC_DATA. (I was worried about generated fields being
incorrect, or some other logical flaw).
Andrew Bartlett
(This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
|
|
about the size of the signature. In particular, this works with AES,
which was previously broken Samba4/Samba4.
Reviewed by metze (and thanks for help with the previous IDL commit).
(This used to be commit 3c8be196cce3bf275a0bf8d0cf127df570b560d3)
|
|
other than arcfour-hmac-md5. Currently we still fail to verify other
signatures however.
Andrew Bartlett
(This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
|
|
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
|
|
krb5_context.
Andrew Bartlett
(This used to be commit 47699019dbb7aa48e7acd6bf8364e40917db8410)
|
|
saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
|
|
Andrew Bartlett
(This used to be commit fba7a0edd4ba29e595bb6ebd77381b383701482d)
|
|
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.
This involved returning more data from the pac functions, so changed
some callers and split up some functions.
Andrew Bartlett
(This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
|
|
now push/pull a sample PAC, and still have the same byte buffer.
(Metze set up the string code, and probably already has a similar
patch).
Unfortunetly win2k3 still doesn't like what we provide, but every step helps.
Also use data_blob_const() when we are just wrapping data for API
reasons.
Andrew Bartlett
(This used to be commit e7c8076fc1459ff2ccefdaf0b091d04ee6137957)
|
|
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
|
|
LOGON_INFO
LOGON_NAME
SRV_CHECKSUM
KDC_CHECKSUM
- w2k3 also don't use the groupmembership array with rids
it uses the othersids array
metze
(This used to be commit 2286fad27d749ebba14f5448f1f635bb36750c9c)
|
|
length too,
it's always 16 bytes smaller than the size in the PAC_BUFFER
we now dump the blob's on LOCAL-PAC with -d 10
metze
(This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
|
|
memory checks
- move to handmodified pull/push code for PAC_BUFFER
to get the _ndr_size field and the subcontext size right
- after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive)
I found out that the first uint32 before the netr_SamInfo3 was also a pointer,
(and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC)
w2k3 uses this for unique pointers:
ptr = ndr->ptr_count * 4;
ptr |= 0x00020000;
ndr->ptr_count;
- do one more pull/push round with the sample PAC
metze
(This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
|
|
much closer.
This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary. This is the only way I can explain
the 4 trainling zeros in the signature struct.
Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.
I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.
Andrew Bartlett
(This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
|
|
checksum in the right place...
Andrew Bartlett
(This used to be commit 90d0f502da20add6784c883b2085cde519604933)
|
|
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
|
|
the 'PAC', required for interopability with Active Directory.
This is still a cludge, as it doesn't handle different encryption
types, but that should be fairly easy to fix (needs PIDL/IDL changes).
Andrew Bartlett
(This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
|
|
keys appear at the end of the PAC, which I feel is deliberate (it
makes this much easier).
I still can't make it work, but I'm sure we are closer.
Andrew Bartlett
(This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
|
|
'mock GSSAPI'.
Many thanks to Luke Howard for the work he has done on Heimdal for
XAD, to provide the right API hooks in GSSAPI.
Next step is to verify the signatures, and to build the PAC for the
KDC end.
Andrew Bartlett
(This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
|