summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r22961: use EVENT_FD_AUTOCLOSE and SOCKET_FLAG_NOCLOSE to fix up some hairyAndrew Tridgell1-1/+4
problems with order of socket closing in krb5 (This used to be commit 46a7d83c2b49798c6c5389c13ec2b9785c47b85b)
2007-10-10r22635: make it possible to not turn off dns canonicalization of hostnamesStefan Metzmacher1-1/+2
with krb5:set_dns_canonicalize=yes needed for the drsuapi replication, but we should fix this with a kdc locator plugin ... metze (This used to be commit f0a12355bcfab47663e62f3d8ae820815210cdc5)
2007-10-10r22602: s/HAVE_SOCKET_IPV6/HAVE_IPV6/ to match the define used by Heimdal.Jelmer Vernooij1-1/+1
(This used to be commit 5ff665b6531fdb4c7e56c49b7f923546d93b384c)
2007-10-10r22558: Move to a static list of enctypes to put into our keytab. In future,Andrew Bartlett1-59/+40
I'll allow this to be configured from the secrets.ldb, but it should fix some user issues. Andrew Bartlett (This used to be commit 0fd74ada220fb07d4ebe8c2d9b8ae50a387c2695)
2007-10-10r21175: Fix the kerberos keytab update code to handle deletes.Andrew Bartlett1-3/+2
Fix the join code to know that the ldb layer handles the keytab update. Andrew Bartlett (This used to be commit d3fbc089f4161ae71b21077d50130fdabd8b2d77)
2007-10-10r20988: Call out to Heimdal's krb5.conf processing to configure many aspectsAndrew Bartlett1-1/+28
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-2/+0
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20275: we should check for the oid the caller gave us!Stefan Metzmacher1-1/+1
metze (This used to be commit 4b9e196288f2deb3594db9ba2dd36d774e774574)
2007-10-10r20274: add missing return statement and make it more explicit that we ↵Stefan Metzmacher1-2/+3
return a NULL DATA_BLOB metze (This used to be commit 7256481f08b5e860308e73c2b51926b55b1f4c43)
2007-10-10r19677: Fix more dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 17c2557834aad8c85fb640054c942f99bbce1d94)
2007-10-10r19664: fix compiler warnings...Stefan Metzmacher2-19/+19
should _krb5_find_type_in_ad() also take a const? metze (This used to be commit addc31bd9309cb2b41cbb548c82c80de1cf96c4f)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett3-103/+102
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett4-23/+24
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett5-17/+6
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19568: When we get back a skew error, try with no skew. This allows us toAndrew Bartlett2-42/+50
recover from inheriting an invalid skew from a ccache. Andrew Bartlett (This used to be commit 4881f0583dd42083bb2bc2eeca32316f890c4804)
2007-10-10r19523: Remove unused functions.Andrew Bartlett1-152/+0
Andrew Bartlett (This used to be commit 3a3c1040a97e1d7d64e9e151ea4e1af79dcb976e)
2007-10-10r17774: this macro is unusedStefan Metzmacher1-2/+0
metze (This used to be commit 2f4aa95f8d414262eb4d78060ee3a97a85ec5182)
2007-10-10r15988: try to fix the build on au2 IRIX 6.4Stefan Metzmacher1-1/+1
metze (This used to be commit 9e93e6f5fb654e4162bbc039306a4b79003e22d7)
2007-10-10r15876: Fix build on IPv6-less systems.Jelmer Vernooij1-0/+2
(This used to be commit 180925659fad50ff82693284587ae4e735458c6b)
2007-10-10r15853: started the process of removing the warnings now thatAndrew Tridgell2-12/+9
talloc_set_destructor() is type safe. The end result will be lots less use of void*, and less calls to talloc_get_type() (This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
2007-10-10r15511: Using this name causes less warnings on the IBM checker, due to usingAndrew Bartlett1-3/+5
the original, rather than equivilant, enum type. Andrew Bartlett (This used to be commit 3d43e458a828801a294e56a1aeb74a4d7cbf9f23)
2007-10-10r15501: Allow interactive password prompting on kerberos as well.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 7003c3e8dee2d2bfc391875d90eb747616cb361a)
2007-10-10r15384: Improve naming of socket library, disable Requires(.private)? fields ↵Jelmer Vernooij1-1/+1
in pkg-config files for now as they break external projects. (This used to be commit f919fd6655f00361691e676d260bd40e0b8ddcc7)
2007-10-10r15379: Fix shared library build's unresolved dependenciesJelmer Vernooij1-1/+1
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
2007-10-10r15373: Rename SOCKET to LIBSAMBA-SOCKET to prevent name clashes with ↵Jelmer Vernooij1-1/+1
-lsocket on SUN boxes. (This used to be commit c95ad11307dc89384c10bd5919817bf12d9c1ed9)
2007-10-10r15366: Use type name rather then typedef directly - fixes build on tccJelmer Vernooij1-1/+1
(This used to be commit 76c5f377204ad158b03641258a4645a9d487fee8)
2007-10-10r15356: Remove unused 'flags' argument from socket_send() and friends.Andrew Bartlett1-4/+4
This is in preperation for making TLS a socket library. Andrew Bartlett (This used to be commit a312812b92f5ac7e6bd2c4af725dbbbc900d4452)
2007-10-10r15313: Fix some dependencies in dso modeJelmer Vernooij1-1/+1
(This used to be commit f0afe9e2ff16515df1b3226b479b19ea3e9c3d0c)
2007-10-10r15298: Fix the build using a few hacks in the build system.Jelmer Vernooij1-0/+1
Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij2-2/+3
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r15274: Drop default EXT_LIB_ prefix for external libraries. Fixes issues ↵Jelmer Vernooij1-2/+2
with local (empty) libpopt.a overriding global one (This used to be commit 2f06305e53478e5030c24550954f221a9a97c83f)
2007-10-10r15258: Another attempt at fixing getaddrinfo on IRIXJelmer Vernooij1-0/+1
(This used to be commit 13d0cec018185d768b762ff3afc0224f307b8112)
2007-10-10r15256: Use libroken's getaddrinfo if it is not provided by the system. ShouldJelmer Vernooij2-1/+2
get the build on IRIX a bit further. (This used to be commit 47d1baf0cf719dbb1113a79bba50d4075eb06411)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-0/+3
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r14363: Remove credentials.h from the global includes.Jelmer Vernooij1-1/+1
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
2007-10-10r14306: fixed two break errorsAndrew Tridgell1-2/+2
(This used to be commit 03da4fbcdd66982de8eb376f9f00da97d730c97f)
2007-10-10r14202: Oops. When removing a header, we need to replace it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit d1ca106f05ad71b8aa514bf87a4267d61d9dcbf8)
2007-10-10r14201: I don't think including roken is going to be a good solution. Let'sAndrew Bartlett1-2/+0
try and find the real solution. Andrew Bartlett (This used to be commit a512d5dd258797cdb41018923502cb4998f1edfe)
2007-10-10r14180: The PAC isn't so special that it deserves a level 0 debug any more.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 2ab71ed51868da123131d8bdaa7c30ab61ae280f)
2007-10-10r13926: More header splitups.Jelmer Vernooij2-0/+3
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
2007-10-10r13844: Remove _PUBLIC_ for now as the proto script seems to make false ↵Jelmer Vernooij1-1/+1
assumptions about the data type being known. (This used to be commit 991bec80e4f20c9fac9ab5c45b0fdf6d048cda66)
2007-10-10r13842: Make some more functions public.Jelmer Vernooij1-1/+1
(This used to be commit aac1b99b362993352d80692afa55c38fc851c016)
2007-10-10r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.Andrew Bartlett1-0/+4
We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett2-1/+5
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12899: - fix warnings on AIXStefan Metzmacher1-1/+2
- fix compilation of auth/kerberos/krb5_init_context.c on AIX metze (This used to be commit 0e1ad08a8515056f4ed0923889bef04d85b84964)
2007-10-10r12863: As lha suggested to me a while back, it appears that theAndrew Bartlett1-4/+0
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
2007-10-10r12808: Actually, with that we can avoid roken compleatly.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit 37f342b01095787d4a63a419c6ab3657680c2637)
2007-10-10r12807: I'm wondering if this might fix AIX on the build farm...Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8f70d6270a788494dd07430f778ee90a51551e66)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett2-26/+7
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)