Age | Commit message (Collapse) | Author | Files | Lines |
|
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
|
|
We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply as requested.
Andrew Bartlett
|
|
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).
Andrew Bartlett
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
|
|
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
|
|
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
|
|
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett
|
|
1bea031b9404b14114b0272ecbe56e60c567af5c)
|
|
42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.
Andrew Bartlett
|
|
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
|
|
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett
|
|
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
|
|
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
|
|
f4e0dc17709829235f057e0e100d34802d3929ff)
|
|
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
|
|
|
|
9291fd2d101f3eecec550178634faa94ead3e9a1)
|
|
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
|
|
in error cases)
|
|
8714779fa7376fd9f7761587639e68b48afc8c9c)
This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.
(Very reasonable, but not required for Samba4's use).
Andrew Bartlett
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
d09910d6803aad96b52ee626327ee55b14ea0de8)
This includes in particular changes to the KDC to resolve bug 6272,
originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We
need to sort the AuthorizationData elements to put the PAC first, or
else WinXP breaks when browsed from Win2k8.
Andrew Bartlett
|
|
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
(This was not entered in lorikeet-heimdal.diff, so missed by metze's import).
Andrew Bartlett
|
|
metze
|
|
|
|
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.
metze
(This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
|
|
Now it's possible to just use a plain heimdal tree in source/heimdal/
without any pregenerated files.
metze
(This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
|
|
metze
(This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
|
|
(This used to be commit 8252b51850f108aa8f43ec25c752a411c32f9764)
|
|
Andrew Bartlett
(This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
|
|
These changes add a krb5_data parameter named e_data to the windc_plugin to
allow the samba KDC to return extended error information in addition to the
standard KRB5KDC_ERR_* codes. Windows uses the extended information to provide
detailed information in user dialogs (e.g. account disabled, logon hours
restriction, must change password, etc.).
This particular commit modifies only heimdal code. Hopefully this can be
submitted and accepted into the upstream heimdal codebase.
(This used to be commit f542362be25e7182a0836de7a0163f6b9fce9408)
|
|
(This used to be commit 6ac86f8be7d9a8c5ab396a93e6d1e6819e11f173)
|
|
(This used to be commit e53e79eebef3ece6978f0a2b4a1ee0a0814bb5d2)
|
|
to an alpha release.
Andrew Bartlett
(This used to be commit 30e02747d511630659c59eafec8d28f58605943b)
|
|
panics on hosts without /dev/random.
Andrew Bartlett
(This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f)
|
|
Andrew Bartlett
(This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
|
|
(This used to be commit 123ae858c77c2507bdac6a93be1e2932a3fd7375)
|
|
metze
(This used to be commit e4d69b83dcee2f50e95690d84f95d9e69acf858e)
|
|
love: please merge this
metze
(This used to be commit 3e4ff2de9c57170d275adf54ffa00ac81253a714)
|
|
metze
(This used to be commit ac347d7aa588574f6a18229083569608327874d8)
|
|
the krbtgt hdb entry provides.
We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)
Love: I'm not sure if this is the correct way of doing it...
metze
(This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)
|
|
of KDC behaviour. This should allow PKINIT to be turned on and
managed with reasonable sanity.
This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.
Andrew Bartlett
(This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
|
|
Update Heimdal to match current lorikeet-heimdal. This includes
integrated PAC hooks, so Samba doesn't have to handle this any more.
This also brings in the PKINIT code, hence so many new files.
Andrew Bartlett
(This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
|
|
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO
implementation.
Andrew Bartlett
(This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
|
|
favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c
Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
|
|
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
|