Age | Commit message (Collapse) | Author | Files | Lines |
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
|
|
-Udomain\\user.
This will probably break in a few configurations, so please let me
know. I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.
Andrew Bartlett
(This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)
|
|
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)
This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.
This patch also tries to simplify some principal handling and fixes some
error cases.
Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.
Andrew Bartlett
(This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
Andrew Bartlett
(This used to be commit a68e348375ab026385e7d5162ed8da8f2adbd84e)
|
|
and create the in-memory keytab with the correct kvno, if available.
Andrew Bartlett
(This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
|
|
support in Heimdal.
This removes the 'ext_keytab' step from my Samba4/WinXP client howto.
In doing this work, I realised that the replay cache in Heimdal is
currently a no-op, so I have removed the calls to it, and therefore
the mutex calls from passdb/secrets.c.
This patch also includes a replacement 'magic' mechanism detection,
that does not issue extra error messages from deep inside the GSSAPI
code.
Andrew Bartlett
(This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
|
|
fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).
To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.
This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.
Andrew Bartlett
(This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
|
|
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
|