summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
AgeCommit message (Collapse)AuthorFilesLines
2011-09-05heimdal: Try to handle the PAC checking when we are in a cross-realm environmentAndrew Bartlett1-1/+10
2011-07-26s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher5-8/+12
0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
2011-07-15s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher12-360/+414
48936803fae4a2fb362c79365d31f420c917b85b)
2011-06-28s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher1-4/+2
metze
2011-06-28HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher3-20/+41
function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
2011-06-28HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5Stefan Metzmacher1-2/+2
commit "heimdal Add support for extracting a particular KVNO from the database" (f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master) changed the windc_plugin interface, so we need to change the version number. metze
2011-06-24HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher1-4/+4
check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
2011-06-24HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher1-5/+19
This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
2011-06-24HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher1-1/+1
With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
2011-05-18HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy caseStefan Metzmacher1-13/+38
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
2011-05-18HEIMDAL:kdc: pass the correct principal name for the resulting service ticketStefan Metzmacher1-38/+36
Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
2011-05-18HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksumsStefan Metzmacher1-4/+7
For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
2011-03-14Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2Jelmer Vernooij2-3/+4
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
2011-03-04HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via ↵Stefan Metzmacher1-0/+5
tgs_parse_request() and _kdc_tgs_rep() metze
2011-02-17heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as wellAndrew Bartlett1-2/+1
This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
2011-02-02s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett1-0/+4
aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
2010-12-17heimdal_build: Add version-script for kdc.Jelmer Vernooij1-0/+21
2010-12-01s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett4-1049/+7
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
2010-11-16heimdal Build ticket with the canonical server nameAndrew Bartlett1-1/+1
We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett
2010-11-15heimdal Fetch the client before the PAC check, but after obtaining krbtgt_outAndrew Bartlett1-31/+30
By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
2010-11-15s4:heimdal - fix the return code of a non-void functionMatthias Dieter Wallnöfer1-0/+2
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
2010-11-15heimdal Fix handling of backwards cross-realm detection for Samba4Andrew Bartlett1-18/+48
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
2010-11-15s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett1-19/+25
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
2010-11-12heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett3-11/+34
This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
2010-10-03s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett4-18/+28
1bea031b9404b14114b0272ecbe56e60c567af5c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou5-28/+43
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-10-02heimdal use returned server entry from HDB to compare realmsAndrew Bartlett1-1/+1
Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett5-17/+51
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-04-10s4:heimdal Create a new PAC when impersonating a user with S4U2SelfAndrew Bartlett1-4/+46
If we don't do this, the PAC is given for the machine accout, not the account being impersonated. Andrew Bartlett
2010-04-10s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett1-4/+36
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett9-16/+11
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett9-166/+197
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2009-11-24heimdal Fix invalid format stringAndrew Bartlett1-1/+1
2009-11-13s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett7-149/+207
9291fd2d101f3eecec550178634faa94ead3e9a1)
2009-11-13s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett4-98/+145
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
2009-10-03heimdal kerberos - fix memory leak (free the plugin list always - not only ↵Matthias Dieter Wallnöfer1-1/+1
in error cases)
2009-08-05s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett4-20/+25
8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett2-18/+21
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-17s4:heimdal: import lorikeet-heimdal-200907162216 (commit ↵Andrew Bartlett1-17/+22
d09910d6803aad96b52ee626327ee55b14ea0de8) This includes in particular changes to the KDC to resolve bug 6272, originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We need to sort the AuthorizationData elements to put the PAC first, or else WinXP breaks when browsed from Win2k8. Andrew Bartlett
2009-07-16s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett3-25/+59
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett2-22/+28
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett6-27/+35
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett13-1725/+1108
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2008-11-04Re-add support for supporting the PAC over domain trusts.Andrew Bartlett1-19/+17
(This was not entered in lorikeet-heimdal.diff, so missed by metze's import). Andrew Bartlett
2008-10-28s4: import lorikeet-heimdal-200810271034Stefan Metzmacher18-951/+951
metze
2008-10-06Allow the PAC to be passed along during cross-realm authenticationAndrew Bartlett1-18/+16
2008-08-26heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher18-42/+66
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
2008-08-26heimdal_build: autogenerate the heimdal private/proto headersStefan Metzmacher2-379/+0
Now it's possible to just use a plain heimdal tree in source/heimdal/ without any pregenerated files. metze (This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
2008-08-01heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher11-460/+617
metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
2008-03-19Merge branch 'v4-0-logon' of git://git.id10ts.net/samba into 4-0-localAndrew Bartlett4-5/+7
(This used to be commit 8252b51850f108aa8f43ec25c752a411c32f9764)