summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2012-04-12srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce1-16/+11
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12auth-krb: Move pac related util functions in a single place.Simo Sorce1-0/+1
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove dependency on credentials too.Simo Sorce2-11/+5
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce3-40/+54
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Simplify salt_princ handling.Simo Sorce4-287/+187
This allows us to make parse_principal static in kerbeors_util again and avoid a silly game where we alloc containers and set destrcutors only to release the whole thing at the end of the function. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move function to db-glue.c and make it static.Simo Sorce2-20/+0
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and make it static, one less dependency to worry about. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move keytab functions in a separate file.Simo Sorce4-707/+749
Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Streamline and cleanup code to make it readable.Simo Sorce1-190/+256
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: streamline and rename enctype functionsSimo Sorce1-11/+12
better express what is being done in the function name.
2012-04-12s4-auth-krb: Make kerberos_enctype_bitmap_to_enctype static.Simo Sorce2-3/+1
It's a helper function not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make kerberos_enctype_bitmap_to_enctypes static.Simo Sorce1-1/+7
It is not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Move function into more appropriate header.Simo Sorce1-0/+8
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12s4-auth-krb: Make impersonate_principal_from_credentials static.Simo Sorce1-0/+1
It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12krb5_wrap: remove duplicate declaration and dead ifdefSimo Sorce1-4/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-01-10krb5: Require krb5_set_real_time is available to build with krb5Andrew Bartlett1-4/+0
2012-01-09s4-kerberos: remove some unused prototypes.Günther Deschner1-22/+0
These are defined in the krb5 abstraction headers elsewhere. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Jan 9 14:32:08 CET 2012 on sn-devel-104
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett1-0/+1
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-28auth/kerberos: Move gssapi_parse.c to the top levelAndrew Bartlett2-123/+2
This will help with writing a gensec module for the s3 gse layer. Andrew Bartlett
2011-12-07auth: Allow a NULL principal to be obtained from the credentialsAndrew Bartlett1-2/+10
This is important when trying to let GSSAPI search the keytab. Andrew Bartlett
2011-11-29s4-samba-tool: Add --principal argument to samba-tool domain exportkeytabAndrew Bartlett1-61/+134
This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-07-25s4:auth/kerberos: activate windows related krb5 flagsStefan Metzmacher1-0/+10
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+48
If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
2011-06-22s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher3-5/+134
For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+47
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher1-94/+99
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher1-32/+41
In order to make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher1-24/+76
It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
2011-06-22s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher1-27/+41
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher1-0/+2
metze
2011-06-21s4/auth: Trivial spelling fixes.Brad Hards1-3/+3
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-20libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett1-2/+2
The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
2011-06-20libcli/util Bring samba4 unix -> nt_status code in common.Andrew Bartlett1-1/+1
Due to library link orders, this is already the function that is being used. However we still need to sort out the duplicate symbol issues, probably by renaming things. Andrew Bartlett
2011-05-18s4:auth/credentials: pass 'self_service' to ↵Stefan Metzmacher1-2/+6
cli_credentials_set_impersonate_principal() This also adds a cli_credentials_get_self_service() helper function. In order to support S4U2Proxy we need to be able to set the service principal for the S4U2Self step independent of the target principal. metze
2011-04-29s4-param Remove config_path() -> lpcfg_config_path()Andrew Bartlett1-1/+1
This is consistent with lock_path() Andrew Bartlett
2011-04-20libcli/auth Move PAC parsing and verification in common.Andrew Bartlett2-334/+17
This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
2011-04-14s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3Andrew Bartlett1-7/+7
The s3 function doesn't use the keytab_container concept. Andrew Bartlett
2011-04-14libcli/auth Move krb5 wrapper functions from s3 into commonAndrew Bartlett3-113/+4
This requires a small rework of the build system to ensure that the correct #define statements are made in both the s3 and top level builds. We now define the various HAVE_ macros in config.h at all times, using heimdal_build/wscript_configure when that is in use. Andrew Bartlett
2011-04-06lib: make asn1_util a private libraryAndrew Tridgell1-1/+1
this prevents symbol duplication of the asn1 symbols in the service and ntvfs subsystems Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-04s4-krb5: be a bit less verbose about krb5 packetsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-03-19source4/auth: Fix prototypes for all functions.Jelmer Vernooij2-0/+10
2011-02-14librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).Günther Deschner1-1/+1
Simo, please check. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell1-1/+1
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10s4-krb5: authkrb5 should depend on ldbAndrew Tridgell1-1/+1
this fixes the include path to add ldb Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2-50/+57
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-01-01heimdal_build: Add missing dependencies when building with system heimdal.Jelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Jan 1 04:46:35 CET 2011 on sn-devel-104
2010-12-04s4:auth/kerberos/kerberos_pac.c - fix another memory leak regarding the KRB ↵Matthias Dieter Wallnöfer1-1/+4
principal In addition fix a counter type Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Dec 4 15:14:46 CET 2010 on sn-devel-104
2010-11-14s4-auth: fixed infinite loop in krb5 authAndrew Tridgell1-1/+1
we were continually trying the first address returned, instead of moving to the next address Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
2010-11-14s4-auth: fixed crash in krb5 authAndrew Tridgell1-2/+1
remote_addr was used after free
2010-11-05s4-kerberos Mention the remote address we fail to contact the KDC onAndrew Bartlett1-1/+10
2010-11-04s4-auth: unconditionally set previous_evAndrew Tridgell1-3/+1
we need the caller to know when the previous_ev was NULL Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>