Age | Commit message (Collapse) | Author | Files | Lines |
|
the other
ideas I have had.
When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.
(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).
Andrew Bartlett
(This used to be commit 8a22d46e70e9f863831aba0c9913d195f833d625)
|
|
about the size of the signature. In particular, this works with AES,
which was previously broken Samba4/Samba4.
Reviewed by metze (and thanks for help with the previous IDL commit).
(This used to be commit 3c8be196cce3bf275a0bf8d0cf127df570b560d3)
|
|
Andrew Bartlett
(This used to be commit cdfcc093430c0a4ae2937dcbf29b8874e724ff29)
|
|
other than arcfour-hmac-md5. Currently we still fail to verify other
signatures however.
Andrew Bartlett
(This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
|
|
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
|
|
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)
This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.
This patch also tries to simplify some principal handling and fixes some
error cases.
Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.
Andrew Bartlett
(This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
|
|
(This used to be commit f36e657a416d7ec7146d84da88b28c2606ff838a)
|
|
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m!
(This used to be commit 200a8f6652cb2de7a8037a7a4c2a204b50aee2b1)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
tmp_ctx, then steal at the last moment, on success.
andrew Bartlett
(This used to be commit c7a44518ad9acaf5708169e07aa03eae52262773)
|
|
krb5_context.
Andrew Bartlett
(This used to be commit 47699019dbb7aa48e7acd6bf8364e40917db8410)
|
|
saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
|
|
caused me pain (and covourty warnings).
Simply gensec_gssapi to assume the properties of lorikeet-heimdal,
rather than having #ifdef around critical features. This simplifies
the code rather a lot.
Andrew Bartlett
(This used to be commit 11156f556db678c3d325fe5ced5e41a76ed6a3f1)
|
|
- add a note about old client using the wrong checksum type for GSSAPI
in the Authenticator
metze
(This used to be commit 07e39bd94c3ce4d255e6cf6e68dc438bb5c9f9e6)
|
|
Andrew Bartlett
(This used to be commit fba7a0edd4ba29e595bb6ebd77381b383701482d)
|
|
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.
This involved returning more data from the pac functions, so changed
some callers and split up some functions.
Andrew Bartlett
(This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
|
|
failure on irix.
Andrew, if you planned on using this in the future then we can put it
back and work out how to make it portable
(This used to be commit eaa74913fedefbf33f7cfab6648bf05aa3cdbbb3)
|
|
now push/pull a sample PAC, and still have the same byte buffer.
(Metze set up the string code, and probably already has a similar
patch).
Unfortunetly win2k3 still doesn't like what we provide, but every step helps.
Also use data_blob_const() when we are just wrapping data for API
reasons.
Andrew Bartlett
(This used to be commit e7c8076fc1459ff2ccefdaf0b091d04ee6137957)
|
|
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
|
|
LOGON_INFO
LOGON_NAME
SRV_CHECKSUM
KDC_CHECKSUM
- w2k3 also don't use the groupmembership array with rids
it uses the othersids array
metze
(This used to be commit 2286fad27d749ebba14f5448f1f635bb36750c9c)
|
|
length too,
it's always 16 bytes smaller than the size in the PAC_BUFFER
we now dump the blob's on LOCAL-PAC with -d 10
metze
(This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
|
|
memory checks
- move to handmodified pull/push code for PAC_BUFFER
to get the _ndr_size field and the subcontext size right
- after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive)
I found out that the first uint32 before the netr_SamInfo3 was also a pointer,
(and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC)
w2k3 uses this for unique pointers:
ptr = ndr->ptr_count * 4;
ptr |= 0x00020000;
ndr->ptr_count;
- do one more pull/push round with the sample PAC
metze
(This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
|
|
much closer.
This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary. This is the only way I can explain
the 4 trainling zeros in the signature struct.
Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.
I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.
Andrew Bartlett
(This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
|
|
checksum in the right place...
Andrew Bartlett
(This used to be commit 90d0f502da20add6784c883b2085cde519604933)
|
|
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
|
|
Andrew Bartlett
(This used to be commit a68e348375ab026385e7d5162ed8da8f2adbd84e)
|
|
and create the in-memory keytab with the correct kvno, if available.
Andrew Bartlett
(This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
|
|
Andrew Bartlett
(This used to be commit bba58a1876353effbef540dd0db9e66db5343c35)
|
|
the 'PAC', required for interopability with Active Directory.
This is still a cludge, as it doesn't handle different encryption
types, but that should be fairly easy to fix (needs PIDL/IDL changes).
Andrew Bartlett
(This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
|
|
keys appear at the end of the PAC, which I feel is deliberate (it
makes this much easier).
I still can't make it work, but I'm sure we are closer.
Andrew Bartlett
(This used to be commit 6f0e1c80ae7b1e31e7a3fbff84f07442ee5a31cf)
|
|
'mock GSSAPI'.
Many thanks to Luke Howard for the work he has done on Heimdal for
XAD, to provide the right API hooks in GSSAPI.
Next step is to verify the signatures, and to build the PAC for the
KDC end.
Andrew Bartlett
(This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
|
|
(This used to be commit 9ee3dbad6b0bc65f4f3ee64a52db765af8016738)
|
|
Andrew Bartlett
(This used to be commit 7d791d13bcd70288467bf3574d0394d34f973f18)
|
|
lifetime constraints, and works with the in-memory keytab.
Move initialize_krb5_error_table() into our kerberos startup code,
rather than in the GSSAPI code explitly. (Hmm, we probably don't need
this at all..)
Andrew Bartlett
(This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
|
|
support in Heimdal.
This removes the 'ext_keytab' step from my Samba4/WinXP client howto.
In doing this work, I realised that the replay cache in Heimdal is
currently a no-op, so I have removed the calls to it, and therefore
the mutex calls from passdb/secrets.c.
This patch also includes a replacement 'magic' mechanism detection,
that does not issue extra error messages from deep inside the GSSAPI
code.
Andrew Bartlett
(This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
|
|
Andrew Bartlett
(This used to be commit 898f72d19654c68ba68d36a099bf4dbed5d09fe9)
|
|
comment
(This used to be commit 3aa80b8e585a0acc57d4b7738dcccfba232948ca)
|
|
Andrew Bartlett
(This used to be commit 57ddedc954f49fd370225494758326fcbd0bb500)
|
|
as krb5_closelog() no longer leaks memory.
Andrew Bartlett
(This used to be commit b0bf8a4a5f04b65655f4005b27c80eb098039720)
|
|
- if you want kerberos now, you need to unpack a lorikeet heimdal
tree in source/heimdal/. If source/heimdal/ does not exist at
configure time then all kerberos features are disabled. You cannot
use an external kerberos library for now. That may change later.
- moved lib/replace/ config stuff to lib/replace/ and create a
lib/replace/replace.h. That allows the heimdal build to use our
portability layer, and prevenets duplicate definitions of functions
like strlcat()
- if you do enable heimdal, then you will need to do 'make
HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once
I explain the problem to jelmer (the problem is the inability to
set a depend without also dragging in the object list of the
dependency. We need this for building the heimdal asn1 compiler and
et compiler.
- disabled all of the m4 checks for external kerberos libraries. I
left them in place in auth/kerberos/, but disabled it in
configure.in
some of the heimdal_build/ code is still very rough, for example I
don't correctly detect the correct awk, flex, bison replacements for
heimdal_build/build_external.sh. I expect to fix that stuff up over
the next few days.
(This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
|
|
log redirection code.
Andrew Bartlett
(This used to be commit 93335d587d9f48c46d9c3b91237f649693cf3003)
|
|
btw: I use this for configuring heimdal
>>>
CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \
CC=gcc-4.0 \
./configure -C --prefix=$HOME/prefix/heimdal-test \
--sysconfdir=/etc \
--enable-shared=no \
--with-ldb=$HOME/prefix/ldb \
--without-openldap \
--without-openssl $@"
echo $CONFIG
eval $CONFIG
>>>
maybe you also want to use --disable-berkeley-db
metze
(This used to be commit 2aec140e00770df78ba31ef91109634ce0aa3d8a)
|
|
Andrew Bartlett
(This used to be commit a8d3493b6f7a0c28465b00bbadf24e152422e4b5)
|
|
facility that I'm using. This should let us compile the non-KDC
components on MIT again.
Andrew Bartlett
(This used to be commit ae9c2d2b54a979ab8467c847b62dd2c2a0fa059f)
|
|
fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).
To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.
This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.
Andrew Bartlett
(This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
|
|
With this fix, I can request tickets from our built-in KDC!
Andrew Bartlett
(This used to be commit d7cd76013bdf000831790b29b9d0b401151bf5c2)
|
|
Andrew Bartlett
(This used to be commit fdd964582a4b102978fbc29dbf71de52bd30a155)
|
|
Using current lorikeet/heimdal, and with the KDC module enabled (it is
disabled by default), I almost get the KDC to link.
(To enable the KDC for testing, comment out the only line in
smbd/config.m4, and add 'kdc' to the 'server services' line in
smb.conf).
(This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)
|
|
Heimdal.
Andrew Bartlett
(This used to be commit f2e926192595c74bd9cc8a3343e0fcf27a1de38b)
|
|
Andrew Bartlett
(This used to be commit dbd845998723987c75dc0e6a427330116dce0bf4)
|