summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos/kerberos_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15853: started the process of removing the warnings now thatAndrew Tridgell1-6/+6
talloc_set_destructor() is type safe. The end result will be lots less use of void*, and less calls to talloc_get_type() (This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
2007-10-10r15511: Using this name causes less warnings on the IBM checker, due to usingAndrew Bartlett1-3/+5
the original, rather than equivilant, enum type. Andrew Bartlett (This used to be commit 3d43e458a828801a294e56a1aeb74a4d7cbf9f23)
2007-10-10r15501: Allow interactive password prompting on kerberos as well.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 7003c3e8dee2d2bfc391875d90eb747616cb361a)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-1/+3
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12594: Jelmer pushed some proposed header reductions to the list today. ThisAndrew Bartlett1-2/+0
commits some of these that I know to be correct in the kerberos area. Andrew Bartlett (This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
2007-10-10r12422: Some kerberos comments and clarifications.Andrew Bartlett1-2/+5
Andrew Bartlett (This used to be commit 31046cd22b45de6c62c9f122a81cfc898e818308)
2007-10-10r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett1-22/+36
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
2007-10-10r12059: Use random keytab names (so we get different keytabs, rather thanAndrew Bartlett1-1/+15
share the MEMORY: keytab). Andrew Bartlett (This used to be commit 6c43de27086d3c463891598eb55a44877194cb0d)
2007-10-10r12056: Some clarification fixes for the keytab code, and use the rightAndrew Bartlett1-14/+15
function for enctype to string. Andrew Bartlett (This used to be commit ae6c968cb27f451e5f8cea62be7f33b4b4716f82)
2007-10-10r11993: As well as making an in-MEMORY keytab, allow a file-based keytab to ↵Andrew Bartlett1-98/+321
be updated. This allows a new password to be written in, and old entries removed (we keep kvno and kvno-1). Clean up the code a lot, and add comments on what it is doing... Andrew Bartlett (This used to be commit 0a911baabad60a43741269d29a96fdd74e54331a)
2007-10-10r11350: Add some debugs to assist tracking down kerberos issues in future.Andrew Bartlett1-2/+26
(Make it easy to see what was put into the keytab, so we can tell when gssapi screams that it can't pull it out). Andrew Bartlett (This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-25/+31
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-37/+74
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-1/+1
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10364: Turn gensec:gssapi on by default, except for a login of the formAndrew Bartlett1-1/+1
-Udomain\\user. This will probably break in a few configurations, so please let me know. I'll also work to have a way to inhibit kerberos/ntlmssp, as this removes -k. Andrew Bartlett (This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)
2007-10-10r10035: This patch removes the need for the special case hackAndrew Bartlett1-7/+56
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-47/+12
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r7991: I forgot to free the keyblock once we are done with it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit a68e348375ab026385e7d5162ed8da8f2adbd84e)
2007-10-10r7989: Allow the use of hashed passwords in the kerberos client and server,Andrew Bartlett1-17/+83
and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-2/+161
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett1-13/+9
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett1-0/+120
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)