summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/kerberos5.c
AgeCommit message (Collapse)AuthorFilesLines
2011-07-26s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher1-1/+1
0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
2011-07-15s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher1-98/+138
48936803fae4a2fb362c79365d31f420c917b85b)
2011-02-17heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as wellAndrew Bartlett1-2/+1
This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
2010-11-12heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett1-3/+9
This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
2010-10-03s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett1-2/+2
1bea031b9404b14114b0272ecbe56e60c567af5c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou1-1/+1
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett1-2/+3
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett1-2/+6
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett1-89/+79
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2009-11-13s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett1-23/+34
9291fd2d101f3eecec550178634faa94ead3e9a1)
2009-11-13s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett1-0/+1
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
2009-08-05s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett1-10/+4
8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-0/+1
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-16s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett1-2/+22
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett1-22/+6
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-14/+8
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett1-189/+189
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2008-10-28s4: import lorikeet-heimdal-200810271034Stefan Metzmacher1-170/+170
metze
2008-08-26heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher1-2/+21
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
2008-08-01heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher1-7/+7
metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
2008-03-19Merge branch 'v4-0-logon' of git://git.id10ts.net/samba into 4-0-localAndrew Bartlett1-1/+1
(This used to be commit 8252b51850f108aa8f43ec25c752a411c32f9764)
2008-03-19Merge lorikeet-heimdal -r 787 into Samba4 tree.Andrew Bartlett1-15/+26
Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
2008-03-13heimdal: Add parameter to windc_plugin to allow extended return codes.Andrew Kroeger1-1/+1
These changes add a krb5_data parameter named e_data to the windc_plugin to allow the samba KDC to return extended error information in addition to the standard KRB5KDC_ERR_* codes. Windows uses the extended information to provide detailed information in user dialogs (e.g. account disabled, logon hours restriction, must change password, etc.). This particular commit modifies only heimdal code. Hopefully this can be submitted and accepted into the upstream heimdal codebase. (This used to be commit f542362be25e7182a0836de7a0163f6b9fce9408)
2007-10-10r24614: Merge with current lorikeet-heimdal. This brings us one step closerAndrew Bartlett1-48/+92
to an alpha release. Andrew Bartlett (This used to be commit 30e02747d511630659c59eafec8d28f58605943b)
2007-10-10r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett1-49/+149
Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
2007-10-10r21448: return the same error codes as a windows KDCStefan Metzmacher1-3/+3
metze (This used to be commit e4d69b83dcee2f50e95690d84f95d9e69acf858e)
2007-10-10r21447: make handling of replying e_data more genericStefan Metzmacher1-18/+12
love: please merge this metze (This used to be commit 3e4ff2de9c57170d275adf54ffa00ac81253a714)
2007-10-10r21439: fix compiler warningsStefan Metzmacher1-6/+6
metze (This used to be commit ac347d7aa588574f6a18229083569608327874d8)
2007-10-10r21436: Choose the TGT session key enctype also by checking what enctypesStefan Metzmacher1-4/+20
the krbtgt hdb entry provides. We need to make sure other KDC's with the same hdb backend data can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18) session keys.) Love: I'm not sure if this is the correct way of doing it... metze (This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)
2007-10-10r20640: Commit part 2/2Andrew Bartlett1-70/+203
Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
2007-10-10r19681: Update to current lorikeet-heimdal. I'm looking at using the realmAndrew Bartlett1-2/+1
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO implementation. Andrew Bartlett (This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett1-6/+7
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-1191/+146
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r18826: Allow 'enterprise' principal names to log in.Andrew Bartlett1-7/+7
These principals do not need to be in the same realm as the rest of the ticket, the full principal name is in the first componet of the ASN.1. Samba4's backend will handle getting this to the 'right' place. Andrew Bartlett (This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
2007-10-10r15481: Update heimdal/ to match current lorikeet-heimdal.Andrew Bartlett1-40/+47
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
2007-10-10r15192: Update Samba4 to use current lorikeet-heimdal.Andrew Bartlett1-23/+74
Andrew Bartlett (This used to be commit f0e538126c5cb29ca14ad0d8281eaa0a715ed94f)
2007-10-10r14711: let windows clients retry after getting ERR_SKEWStefan Metzmacher1-1/+8
metze (This used to be commit 02703f4e8f430233ec4365ea5cee641a9201802f)
2007-10-10r14198: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett1-65/+70
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-11/+14
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11940: Love has clarified why this code does what it does.Andrew Bartlett1-0/+6
Andrew Bartlett (This used to be commit 9b3dedbc0bb12897a8f9bd4ec864de26b3835981)
2007-10-10r11930: Add socket/packet handling code for kpasswddAndrew Bartlett1-2/+18
Allow ticket requests with only a netbios name to be considered 'null' addresses, and therefore allowed by default. Use the netbios address as the workstation name for the allowed workstations check with krb5. Andrew Bartlett (This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87)
2007-10-10r11568: Debuging aids: Let the administrator know when a key/entry expired,Andrew Bartlett1-6/+28
rather than just the fact of the expiry. Andrew Bartlett (This used to be commit 31c4ab26d7ab1e550c2ecc7c3ae6c44b87140aa3)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-65/+43
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11536: Add a hook for client-principal access control to hdb-ldb, re-usingAndrew Bartlett1-32/+40
the code in auth/auth_sam.c for consistancy. This will also allow us to have one place for a backend directory hook. I will use a very similar hook to add the PAC. Andrew Bartlett (This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
2007-10-10r11310: Free the 'if_relevent' portion of the PAC when we build it.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit ede638c00b574bf4149d11844c0adf8e0f5c4efb)
2007-10-10r11294: Update Heimdal in Samba4 to lorikeet-heimdal (which is in turn updatedAndrew Bartlett1-12/+3
to CVS of 2005-10-24). Andrew Bartlett (This used to be commit 939d4f340feaad15d0a6a5da79feba2b2558f174)
2007-10-10r10386: Merge current lorikeet-heimdal into Samba4.Andrew Bartlett1-2/+22
Andrew Bartlett (This used to be commit 4d2a9a9bc497eae269c24cbf156b43b8588e2f73)
2007-10-10r10191: Return the right error code in the case of a time skew. Windows will nowJelmer Vernooij1-1/+1
ignore Kerberos and fallback to NTLMSSP when joining. Thanks to Andrew Bartlett for the assistence. (This used to be commit 3b6bfbe8cf555f4144ed06044d3ecb8044f86bca)
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-4/+27
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)