Age | Commit message (Collapse) | Author | Files | Lines |
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
Andrew Bartlett
(This used to be commit 890ad0412b9ee285fa25e8bab785a960a201057e)
|
|
KDC).
Andrew Bartlett
(This used to be commit 1643ad169cff56f20ba03644dec12124139ac44a)
|
|
kdc/hdb-ldb.c to share the routines used for auth/
This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).
Andrew Bartlett
(This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
|
|
to ldb, based on the sessionInfo we now pass around.
Andrew Bartlett
(This used to be commit 84e16e4ea7240409f15efd9f64344f9e0cec8111)
|
|
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
(This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
|
|
(This used to be commit ce611eb5f31bc63fc23700e7a2c47e68b8f826aa)
|
|
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
|
|
delegate by default.
Andrew Bartlett
(This used to be commit 49d489c81d5b5c86e032ed6edfda4590d1d1f2be)
|
|
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
(This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
|
|
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
(This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
|
|
via winbindd in Samba4.
Andrew Bartlett
(This used to be commit e63be25d0b6edbb17f0747663b0570145a4d55fb)
|
|
(thanks metze).
Andrew Bartlett
(This used to be commit 848831a1559d6569359bd6fb4993ccbef6ad86d8)
|
|
Andrew Bartlett
(This used to be commit 7e3c22f57be215b483ae15de4f754ed4188b5379)
|
|
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
(This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
|
|
metze
(This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
|
|
Andrew Bartlett
(This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
|
|
Andrew Bartlett
(This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
|
|
passwords.
Andrew Bartlett
(This used to be commit cb0b3c00572958f5ac8413cc651f627ca1871295)
|
|
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM
Add some more PUBLIC_HEADERS
(This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
|
|
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries.
- Writes out pkg-config files when building shared libs
- Supports automatic fallback to MERGEDOBJ (which is the default) or
OBJ_LIST (if ld -r is not supported)
Building with shared libs reduces the size of the Samba binaries from
197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging).
To build with shared libraries support enabled, run:
LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status
init functions don't get called correctly yet when using shared libs, so
you won't be able to actually run anything with success :-)
Once init functions are done, I'll look at support for loading shared
modules once again.
Based on a patch by Peter Novodvorsky (nidd on IRC).
(This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
|
|
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
|
|
logins and NTLM machine account logins.
Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
|
|
Andrew Bartlett
(This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
|
|
(Make it easy to see what was put into the keytab, so we can tell when
gssapi screams that it can't pull it out).
Andrew Bartlett
(This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
|
|
Andrew Bartlett
(This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
|
|
Andrew Bartlett
(This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
|
|
(We now ask the kerberos libraries to handle getting and unwapping the PAC).
Andrew Bartlett
(This used to be commit 6a0beb29da2aaa4d432cf9643924db3c2e77a858)
|
|
than doing ASN.1 parsing in Samba.
Also use the API function for getting a client from a ticket, rather
than just digging in the structure.
Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
|
|
(This used to be commit 204185576c6a4df5e43e5a97cb13227407c09e6e)
|
|
itself in the auth_sam module.
Andrew Bartlett
(This used to be commit 0800942dbb1511586a896c6376c436a4552c54be)
|
|
Support installing libraries.
Get rid of pkg-config file (will be autogenerated later on).
(This used to be commit b4745032a2c55752c527026feb221ccc3dce10c8)
|
|
Andrew Bartlett
(This used to be commit ecacef213b28adb84d3ffb5b76bf1b079e25426c)
|
|
metze
(This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
|
|
Andrew Bartlett
(This used to be commit bc6f6f9381b1038273f87feb35484dc61dd8bd8e)
|
|
we can round-trip all the way back to a server_info structure, not
just a filled in PAC_DATA. (I was worried about generated fields being
incorrect, or some other logical flaw).
Andrew Bartlett
(This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
|
|
I'm sure this will not be the final resting place, but it will do for
now.
Use the cracknames code in auth/ for creating a server_info given a
principal name only (should avoid assumtions about spliting a
user@realm principal).
Andrew Bartlett
(This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
|
|
Andrew Bartlett
(This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
|
|
credentials. This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.
Needed for kpasswdd work.
Andrew Bartlett
(This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
|
|
reasonable value to fill in for the mechListMIC.
Andrew Bartlett
(This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
|
|
and remove now duplicated unwrap_pac().
Andrew Bartlett
(This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
|
|
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
|
|
I'm also worried this might cause loops, if we get a 'force password
change', and the prompter tries to 'deal with it'.
Andrew Bartlett
(This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
|
|
http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
|
|
main gensec_krb5_start and always ask for sequence numbers.
Andrew Bartlett
(This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
|
|
Andrew Bartlett
(This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
|
|
secureChannelType (non machine join records).
Andrew Bartlett
(This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|