Age | Commit message (Collapse) | Author | Files | Lines |
|
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
|
|
This will help with writing a gensec module for the s3 gse layer.
Andrew Bartlett
|
|
This is important when trying to let GSSAPI search the keytab.
Andrew Bartlett
|
|
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.
Based on a request by Gémes Géza <geza@kzsdabas.hu>
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
|
|
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.
metze
|
|
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.
metze
|
|
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
|
|
This will make the following changes easier to review.
metze
|
|
In order to make the following changes easier to review.
metze
|
|
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
|
|
This will make the following changes easier to review.
metze
|
|
metze
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
|
|
Due to library link orders, this is already the function that is being
used. However we still need to sort out the duplicate symbol issues,
probably by renaming things.
Andrew Bartlett
|
|
cli_credentials_set_impersonate_principal()
This also adds a cli_credentials_get_self_service() helper function.
In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.
metze
|
|
This is consistent with lock_path()
Andrew Bartlett
|
|
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.
Andrew Bartlett
|
|
The s3 function doesn't use the keytab_container concept.
Andrew Bartlett
|
|
This requires a small rework of the build system to ensure that the
correct #define statements are made in both the s3 and top level
builds. We now define the various HAVE_ macros in config.h at all
times, using heimdal_build/wscript_configure when that is in use.
Andrew Bartlett
|
|
this prevents symbol duplication of the asn1 symbols in the service
and ntvfs subsystems
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Simo, please check.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
|
|
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this fixes the include path to add ldb
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Jan 1 04:46:35 CET 2011 on sn-devel-104
|
|
principal
In addition fix a counter type
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Dec 4 15:14:46 CET 2010 on sn-devel-104
|
|
we were continually trying the first address returned, instead of
moving to the next address
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
|
|
remote_addr was used after free
|
|
|
|
we need the caller to know when the previous_ev was NULL
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
|
|
this fixes some double linking. The name 'KERBEROS' was also a bit
confusing, as it sounded like a base kerberos library, when it is in
fact part of auth
|
|
|
|
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
|
|
|
|
|
|
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 00:34:56 UTC 2010 on sn-devel-104
|
|
|
|
|
|
Instead, store the same key value under the multiple alias names.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
|
|
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.
Andrew Bartlett
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Sep 26 03:29:34 UTC 2010 on sn-devel-104
|
|
This creates keytab entries with all the servicePrincipalNames listed
in the secrets.ldb entry.
Andrew Bartlett
|
|
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.
Andrew Bartlett
|