summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/krb5
AgeCommit message (Collapse)AuthorFilesLines
2010-11-17s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERYAndrew Tridgell1-1/+5
this e_data field in a kerberos error packet tells windows to do clock skew recovery. See [MS-KILE] 2.2.1 KERB-ERROR-DATA Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-15s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett1-14/+13
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
2010-11-08heimdal Add clock-skew handling to DCE-style GSSAPIAndrew Bartlett1-39/+65
The clock skew handling was previously only on properly wrapped GSSAPI, and was skipped for DCE-style. This allows the ASN.1 errors from the krb5_rd_req to suggest parsing as a kerberos error packet. Andrew Bartlett Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 8 07:58:09 UTC 2010 on sn-devel-104
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou38-224/+109
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-09-28heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett3-1/+35
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett4-15/+15
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2009-11-13s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett1-9/+7
9291fd2d101f3eecec550178634faa94ead3e9a1)
2009-11-13s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett14-228/+473
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
2009-09-18s4:heimdal/gssapi/krb5: set cred_handle in _gsskrb5_import_credStefan Metzmacher1-0/+1
metze
2009-08-06s4:heimdal: import lorikeet-heimdal-200908052208 (commit ↵Andrew Bartlett1-4/+5
370a73a74199a5a55188340906e15fd795f67a74) This removes some of the portability changes made to code under heimdal/ If these are still required, then we will re-add them with code under heimdal_build/ (so that we can simply 'drop in' future heimdal releases). Andrew Bartlett
2009-08-05s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett10-22/+399
8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
2009-07-16s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett45-302/+793
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
2009-07-16s4:heimdal The implied GSS_C_MUTUAL_FLAG depends on AP_OPTS_MUTUAL_REQUIREDAndrew Bartlett1-1/+4
We had previously assumed it was unconditional. Samba3 didn't mind very much, but Samba4's samba3-like client did, and the behaviour differed to Win2008 behaviour. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett47-269/+463
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2008-10-28s4: import lorikeet-heimdal-200810271034Stefan Metzmacher44-1312/+1340
metze
2008-08-26heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher47-170/+303
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
2008-08-26heimdal_build: autogenerate the heimdal private/proto headersStefan Metzmacher1-704/+0
Now it's possible to just use a plain heimdal tree in source/heimdal/ without any pregenerated files. metze (This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
2008-08-26Revert "gsskrb5: add support for DCE_STYLE and des and des3 keys"Stefan Metzmacher2-64/+22
This reverts commit 86848dd0f217774faed81af8fbf68618013e20a1. This should come back via a merge from heimdal's trunk later. metze (This used to be commit 585e5360e2d9f722e80850eb86c3d4253530e8ba)
2008-08-26Revert "gsskrb5: always return an acceptor subkey"Stefan Metzmacher1-18/+4
This reverts commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8. This isn't strictly needed and will come back in the next merge from heimdal's trunk. metze (This used to be commit 8ed040c8c4bed082ab74ab267090b35bb57db3f3)
2008-08-14gsskrb5: always return an acceptor subkeyStefan Metzmacher1-4/+18
For non cfx keys it's the same as the intiator subkey. This matches windows behavior. metze (This used to be commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8)
2008-08-08gsskrb5: try to be compatible with windows for gss_wrap* and cfxStefan Metzmacher2-11/+39
The good thing is that windows and heimdal both use EC=0 in the non DCE_STYLE case, so we need the windows compat hack only in DCE_STYLE mode. metze (This used to be commit 0fa41a94e466d5e11bcf362ccd8ff41b72733d1a)
2008-08-08gsskrb5: add support for DCE_STYLE and des and des3 keysStefan Metzmacher2-22/+64
Only the des keys are tested as windows doesn't support des3 metze (This used to be commit 86848dd0f217774faed81af8fbf68618013e20a1)
2008-08-01heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher13-175/+473
metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
2008-06-27gsskrb5: just don't force, but allow the flags when GSS_CF_NO_CI_FLAGS is givenStefan Metzmacher1-0/+6
metze (This used to be commit f10c9ca3612d7bdc4c2c221e959f8c48ec2f9349)
2008-06-27gsskrb5: fix gss_krb5_cred_no_ci_flags_x_oid_desc variable nameStefan Metzmacher1-2/+2
metze (This used to be commit d88be1a1cb543b4e2cc5d15262da786558aa276d)
2008-06-02krb5_init_sec_context: skip the token header when GSS_C_DCE_STYLE is specifiedStefan Metzmacher1-5/+11
Windows (and heimdal) accepts packets with token header in the server, but it doesn't match the windows client. We now match the windows client and that fixes also the display in wireshark. metze (This used to be commit 58f66184f0f732a78e86bbb0f3c29e920f086d08)
2008-03-19Merge lorikeet-heimdal -r 787 into Samba4 tree.Andrew Bartlett6-62/+114
Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
2007-10-10r23678: Update to current lorikeet-heimdal (-r 767), which should fix theAndrew Bartlett4-8/+9
panics on hosts without /dev/random. Andrew Bartlett (This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f)
2007-10-10r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett52-392/+411
Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
2007-10-10r20640: Commit part 2/2Andrew Bartlett37-759/+748
Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
2007-10-10r20139: only add GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG if the caller ↵Stefan Metzmacher1-2/+5
requested it! this is needed to create plain, singed or sealed LDAP connections. this should go into lorikeet and main heimdal... metze (This used to be commit 75c037cae21714e394a63f2506387e1049eb4406)
2007-10-10r19681: Update to current lorikeet-heimdal. I'm looking at using the realmAndrew Bartlett2-1/+32
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO implementation. Andrew Bartlett (This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett3-5/+32
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett8-72/+108
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett51-0/+11572
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)