summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos/kerberos_verify.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r12594: Jelmer pushed some proposed header reductions to the list today. ThisAndrew Bartlett1-8/+2
commits some of these that I know to be correct in the kerberos area. Andrew Bartlett (This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
2007-10-10r11218: Always return the mutual authentication reply (needed for kpasswd),Andrew Bartlett1-45/+12
and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-191/+16
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10513: Reduce some use of pstring. The main reason some parts of the code stillJelmer Vernooij1-1/+0
use pstring is next_token() now. (This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3)
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-167/+49
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-7/+10
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7968: Pull the PAC from within GSSAPI, rather than only when using our ownAndrew Bartlett1-1/+1
'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-93/+22
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7257: Ensure the error message can never be uninitialised.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit fdd964582a4b102978fbc29dbf71de52bd30a155)
2007-10-10r6801: It appears that krb5_make_principal, while convenient, is not portable.Andrew Bartlett1-4/+13
Andrew Bartlett (This used to be commit c8e8fa129ed0c80bcd289445935047c28d48da64)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett1-4/+5
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6711: Clarify that we are dealing with a salting principal in the kerberosAndrew Bartlett1-40/+60
code, which is certainly not in the form of machine$. Rework the default salt to match what I just added to the heimdal server (Samba4 is back on speaking terms with lorikeet heimdal now), from Luke Howard's post to samba-technical in Nov 2004. Now to test compatability with MS... Andrew Bartlett (This used to be commit d719a0093bfe37fc62f28c7c02f17f93eec16abf)
2007-10-10r6703: fix the buildStefan Metzmacher1-1/+1
metze (This used to be commit 333f9bdf585db3df455009667d94deae568be02a)
2007-10-10r6701: Updates to our server-side ticket verification code, we now use theAndrew Bartlett1-57/+44
client credentials code to read the secrets.ldb. Also clean up error handling, and ensure to always set the last_error_message stuff. Andrew Bartlett (This used to be commit 435d229e5d1da349f00d80a36b599ae70468e99d)
2007-10-10r6521: Include system/network.h to fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45383f6cec3c380043be59f1e1c5bf82f3095abb)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett1-0/+486
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)