summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15258: Another attempt at fixing getaddrinfo on IRIXJelmer Vernooij1-0/+1
(This used to be commit 13d0cec018185d768b762ff3afc0224f307b8112)
2007-10-10r15256: Use libroken's getaddrinfo if it is not provided by the system. ShouldJelmer Vernooij2-1/+2
get the build on IRIX a bit further. (This used to be commit 47d1baf0cf719dbb1113a79bba50d4075eb06411)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-0/+3
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r14363: Remove credentials.h from the global includes.Jelmer Vernooij1-1/+1
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
2007-10-10r14306: fixed two break errorsAndrew Tridgell1-2/+2
(This used to be commit 03da4fbcdd66982de8eb376f9f00da97d730c97f)
2007-10-10r14202: Oops. When removing a header, we need to replace it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit d1ca106f05ad71b8aa514bf87a4267d61d9dcbf8)
2007-10-10r14201: I don't think including roken is going to be a good solution. Let'sAndrew Bartlett1-2/+0
try and find the real solution. Andrew Bartlett (This used to be commit a512d5dd258797cdb41018923502cb4998f1edfe)
2007-10-10r14180: The PAC isn't so special that it deserves a level 0 debug any more.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 2ab71ed51868da123131d8bdaa7c30ab61ae280f)
2007-10-10r13926: More header splitups.Jelmer Vernooij2-0/+3
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
2007-10-10r13844: Remove _PUBLIC_ for now as the proto script seems to make false ↵Jelmer Vernooij1-1/+1
assumptions about the data type being known. (This used to be commit 991bec80e4f20c9fac9ab5c45b0fdf6d048cda66)
2007-10-10r13842: Make some more functions public.Jelmer Vernooij1-1/+1
(This used to be commit aac1b99b362993352d80692afa55c38fc851c016)
2007-10-10r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.Andrew Bartlett1-0/+4
We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett2-1/+5
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12899: - fix warnings on AIXStefan Metzmacher1-1/+2
- fix compilation of auth/kerberos/krb5_init_context.c on AIX metze (This used to be commit 0e1ad08a8515056f4ed0923889bef04d85b84964)
2007-10-10r12863: As lha suggested to me a while back, it appears that theAndrew Bartlett1-4/+0
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
2007-10-10r12808: Actually, with that we can avoid roken compleatly.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit 37f342b01095787d4a63a419c6ab3657680c2637)
2007-10-10r12807: I'm wondering if this might fix AIX on the build farm...Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8f70d6270a788494dd07430f778ee90a51551e66)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett2-26/+7
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12670: Make a couple of dependencies stricterJelmer Vernooij1-1/+1
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force specific modules to always be included (This used to be commit f9eede3d40098eddc3618ee48f9253cdddb94a6f)
2007-10-10r12594: Jelmer pushed some proposed header reductions to the list today. ThisAndrew Bartlett6-22/+2
commits some of these that I know to be correct in the kerberos area. Andrew Bartlett (This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-8/+7
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12422: Some kerberos comments and clarifications.Andrew Bartlett2-11/+22
Andrew Bartlett (This used to be commit 31046cd22b45de6c62c9f122a81cfc898e818308)
2007-10-10r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett1-22/+36
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
2007-10-10r12064: pass back the socket level error correctly (so we getAndrew Tridgell1-7/+2
NT_STATUS_CONNECTION_REFUSED when a KDC is not listening) (This used to be commit 0f85fc204c6018f8403c2e8f75f683aed38ba83b)
2007-10-10r12063: fixed the krb5 client code to handle ICMP port unreachable errors, andAndrew Tridgell1-17/+21
error out immediatelly. This prevents a long timeout (This used to be commit f6c0fccc06060582ef870a0ac590dabeec2f2e6a)
2007-10-10r12059: Use random keytab names (so we get different keytabs, rather thanAndrew Bartlett1-1/+15
share the MEMORY: keytab). Andrew Bartlett (This used to be commit 6c43de27086d3c463891598eb55a44877194cb0d)
2007-10-10r12056: Some clarification fixes for the keytab code, and use the rightAndrew Bartlett1-14/+15
function for enctype to string. Andrew Bartlett (This used to be commit ae6c968cb27f451e5f8cea62be7f33b4b4716f82)
2007-10-10r11994: This function no longer needs a special declaration.Andrew Bartlett1-4/+0
Andrew Bartlett (This used to be commit 88a7b7805c11cb3a1be3222d3e4b0b3ad8aff2aa)
2007-10-10r11993: As well as making an in-MEMORY keytab, allow a file-based keytab to ↵Andrew Bartlett1-98/+321
be updated. This allows a new password to be written in, and old entries removed (we keep kvno and kvno-1). Clean up the code a lot, and add comments on what it is doing... Andrew Bartlett (This used to be commit 0a911baabad60a43741269d29a96fdd74e54331a)
2007-10-10r11940: Love has clarified why this code does what it does.Andrew Bartlett1-8/+0
Andrew Bartlett (This used to be commit 9b3dedbc0bb12897a8f9bd4ec864de26b3835981)
2007-10-10r11928: More Kerberos musings...Andrew Bartlett1-20/+64
Andrew Bartlett (This used to be commit 571f9c9c51b93946d23f2b35ef76ac881994b8cc)
2007-10-10r11601: try to fix the build on IRIX 6.5 us4Stefan Metzmacher1-0/+3
abartlet, tridge, lha: is there a better way? metze (This used to be commit b2b4969bdcdd85b1093d91184ff10eff9f74e550)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett2-8/+30
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11538: More notes on things we need.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 890ad0412b9ee285fa25e8bab785a960a201057e)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-0/+10
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11400: fix compiler warningsStefan Metzmacher1-5/+5
metze (This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
2007-10-10r11350: Add some debugs to assist tracking down kerberos issues in future.Andrew Bartlett1-2/+26
(Make it easy to see what was put into the keytab, so we can tell when gssapi screams that it can't pull it out). Andrew Bartlett (This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
2007-10-10r11325: Fix up some kerberos notes.Andrew Bartlett1-15/+14
Andrew Bartlett (This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
2007-10-10r11315: Sorry gd, I just removed all of your code that I just merged...Andrew Bartlett1-2/+0
(We now ask the kerberos libraries to handle getting and unwapping the PAC). Andrew Bartlett (This used to be commit 6a0beb29da2aaa4d432cf9643924db3c2e77a858)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett2-120/+6
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensureAndrew Bartlett1-2/+0
we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij1-7/+7
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett1-25/+31
credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
2007-10-10r11218: Always return the mutual authentication reply (needed for kpasswd),Andrew Bartlett1-45/+12
and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
2007-10-10r11216: Upgrade to gd's PAC extraction code from Samba3. While I still wantAndrew Bartlett2-16/+101
to make some this the kerberos library's problem, we may as well use the best code that is around. Andrew Bartlett (This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
2007-10-10r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.Andrew Bartlett1-27/+1
I'm also worried this might cause loops, if we get a 'force password change', and the prompter tries to 'deal with it'. Andrew Bartlett (This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-0/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett3-240/+109
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)