summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r7863: removed an unused variableAndrew Tridgell1-1/+0
(This used to be commit 9ee3dbad6b0bc65f4f3ee64a52db765af8016738)
2007-10-10r7862: Updates to the Kerberos notes, based on recent changes and discoveries.Andrew Bartlett1-19/+90
Andrew Bartlett (This used to be commit 7d791d13bcd70288467bf3574d0394d34f973f18)
2007-10-10r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the rightAndrew Bartlett1-0/+2
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett5-107/+213
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7687: Some more tests that must be done only when krb5_config is absent.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit 898f72d19654c68ba68d36a099bf4dbed5d09fe9)
2007-10-10r7638: krb5_closelog in heimdal-0.7 not longer leaks memory, so remove that ↵Love Hörnquist Åstrand1-4/+0
comment (This used to be commit 3aa80b8e585a0acc57d4b7738dcccfba232948ca)
2007-10-10r7637: Another useful Heimdal feature we need.Andrew Bartlett1-0/+5
Andrew Bartlett (This used to be commit 57ddedc954f49fd370225494758326fcbd0bb500)
2007-10-10r7509: With the update to Heimdal 20050612 we no longer need krb5_freelog(),Andrew Bartlett3-3/+2
as krb5_closelog() no longer leaks memory. Andrew Bartlett (This used to be commit b0bf8a4a5f04b65655f4005b27c80eb098039720)
2007-10-10r7352: the internal heimdal build change. This changes quite a few things:Andrew Tridgell1-0/+2
- if you want kerberos now, you need to unpack a lorikeet heimdal tree in source/heimdal/. If source/heimdal/ does not exist at configure time then all kerberos features are disabled. You cannot use an external kerberos library for now. That may change later. - moved lib/replace/ config stuff to lib/replace/ and create a lib/replace/replace.h. That allows the heimdal build to use our portability layer, and prevenets duplicate definitions of functions like strlcat() - if you do enable heimdal, then you will need to do 'make HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once I explain the problem to jelmer (the problem is the inability to set a depend without also dragging in the object list of the dependency. We need this for building the heimdal asn1 compiler and et compiler. - disabled all of the m4 checks for external kerberos libraries. I left them in place in auth/kerberos/, but disabled it in configure.in some of the heimdal_build/ code is still very rough, for example I don't correctly detect the correct awk, flex, bison replacements for heimdal_build/build_external.sh. I expect to fix that stuff up over the next few days. (This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
2007-10-10r7306: Use a consistant #define for detecting support for the Heimdal krb5Andrew Bartlett2-5/+5
log redirection code. Andrew Bartlett (This used to be commit 93335d587d9f48c46d9c3b91237f649693cf3003)
2007-10-10r7303: autodetect the libkdc and our kdc supportStefan Metzmacher1-7/+28
btw: I use this for configuring heimdal >>> CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \ CC=gcc-4.0 \ ./configure -C --prefix=$HOME/prefix/heimdal-test \ --sysconfdir=/etc \ --enable-shared=no \ --with-ldb=$HOME/prefix/ldb \ --without-openldap \ --without-openssl $@" echo $CONFIG eval $CONFIG >>> maybe you also want to use --disable-berkeley-db metze (This used to be commit 2aec140e00770df78ba31ef91109634ce0aa3d8a)
2007-10-10r7291: Additional notes on what we require from a kerberos implementation.Andrew Bartlett1-1/+36
Andrew Bartlett (This used to be commit a8d3493b6f7a0c28465b00bbadf24e152422e4b5)
2007-10-10r7285: It appears that MIT Kerberos does not have the log redirectionAndrew Bartlett3-2/+23
facility that I'm using. This should let us compile the non-KDC components on MIT again. Andrew Bartlett (This used to be commit ae9c2d2b54a979ab8467c847b62dd2c2a0fa059f)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett4-17/+124
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7258: Fix the final linking error with libkdc - we need to link libhdb as well.Andrew Bartlett1-0/+1
With this fix, I can request tickets from our built-in KDC! Andrew Bartlett (This used to be commit d7cd76013bdf000831790b29b9d0b401151bf5c2)
2007-10-10r7257: Ensure the error message can never be uninitialised.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit fdd964582a4b102978fbc29dbf71de52bd30a155)
2007-10-10r7241: The KDC almost links...Andrew Bartlett1-0/+5
Using current lorikeet/heimdal, and with the KDC module enabled (it is disabled by default), I almost get the KDC to link. (To enable the KDC for testing, comment out the only line in smbd/config.m4, and add 'kdc' to the 'server services' line in smb.conf). (This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)
2007-10-10r6882: Put in configure tests and #ifdef to keep Samba building on older ↵Andrew Bartlett1-1/+2
Heimdal. Andrew Bartlett (This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
2007-10-10r6819: More notes on krb5 requirementsAndrew Bartlett1-18/+66
Andrew Bartlett (This used to be commit dbd845998723987c75dc0e6a427330116dce0bf4)
2007-10-10r6810: Rename auth/{ntlmssp,gensec,kerberos} mk and m4 files to be calledTim Potter2-0/+1
config.mk and config.m4 to be consistent with the rest of Samba. (This used to be commit f377c71e4f0d60684326906dfb65e4581294ec34)
2007-10-10r6805: Remove two remaining references to gensec_gsskrb5Jelmer Vernooij1-1/+0
(This used to be commit a02e07739781eb00b521d050ab06d6b0aedf47bc)
2007-10-10r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. ThisAndrew Bartlett1-1/+1
should allow us to ditch the local static storage for OIDs, as well as fix the build on non-heimdal platforms. Andrew Bartlett (This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
2007-10-10r6801: It appears that krb5_make_principal, while convenient, is not portable.Andrew Bartlett1-4/+13
Andrew Bartlett (This used to be commit c8e8fa129ed0c80bcd289445935047c28d48da64)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett4-4/+131
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6797: Typo fix.Rafal Szczesniak1-1/+1
rafal (This used to be commit 0f9a2aef6c87bd53c962b33bf78bf773d2319b97)
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-1/+1
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6794: spellfixSimo Sorce1-3/+3
(This used to be commit f5956d150154cb4393dc323ae8ae1f936adee355)
2007-10-10r6791: My early notes on the particular things I have discovered as I learnAndrew Bartlett1-0/+176
kerberos, and how Microsoft constructs their kerberos implementation. Andrew Bartlett (This used to be commit 5fa9be75d987af106fd798f6d5379b637a170b00)
2007-10-10r6727: One more step down the long march to the 'Kerberos domain join'.Andrew Bartlett1-0/+3
This patch allows a suitably patched Heimdal GSSAPI library (detected in configure) to supply to us the session keys, and further compleats the gensec_gssapi module. This is tested for CIFS, but fails for LDAP at this point (that is what I'll work on next). We currently fill out the 'session info' from the SAM, like gensec_krb5 does, but both will need to use the PAC extraction functions in the near future. Andrew Bartlett (This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
2007-10-10r6711: Clarify that we are dealing with a salting principal in the kerberosAndrew Bartlett1-40/+60
code, which is certainly not in the form of machine$. Rework the default salt to match what I just added to the heimdal server (Samba4 is back on speaking terms with lorikeet heimdal now), from Luke Howard's post to samba-technical in Nov 2004. Now to test compatability with MS... Andrew Bartlett (This used to be commit d719a0093bfe37fc62f28c7c02f17f93eec16abf)
2007-10-10r6703: fix the buildStefan Metzmacher1-1/+1
metze (This used to be commit 333f9bdf585db3df455009667d94deae568be02a)
2007-10-10r6701: Updates to our server-side ticket verification code, we now use theAndrew Bartlett1-57/+44
client credentials code to read the secrets.ldb. Also clean up error handling, and ensure to always set the last_error_message stuff. Andrew Bartlett (This used to be commit 435d229e5d1da349f00d80a36b599ae70468e99d)
2007-10-10r6521: Include system/network.h to fix compiler warning.Tim Potter1-0/+1
(This used to be commit 45383f6cec3c380043be59f1e1c5bf82f3095abb)
2007-10-10r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a fewTim Potter1-0/+1
weeks ago - weird. (This used to be commit 1738761d895461260dcba0dd81630cfa0ec43ae8)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett7-0/+2447
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)