summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hdb
AgeCommit message (Collapse)AuthorFilesLines
2012-06-15heimdal:lib/hdb: <config.h> needs to be the first headerStefan Metzmacher1-2/+2
This should fix build problems on AIX. metze
2011-07-26s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher10-36/+409
0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
2011-07-15s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher8-60/+62
48936803fae4a2fb362c79365d31f420c917b85b)
2011-02-02s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett1-0/+2
aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
2010-12-17heimdal_build: Add version-script for hdb.Jelmer Vernooij1-0/+107
2010-12-01s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett6-35/+18
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett3-8/+39
1bea031b9404b14114b0272ecbe56e60c567af5c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou5-19/+30
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-09-29heimdal Add an error code for use in the RODCAndrew Bartlett1-0/+1
In this case, the whole request packet should be forwarded to a real KDC, with full secrets, as we don't have the password. This could also be used to implement 'play dead when the LDAP server is down'. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett2-2/+3
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-04-13s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-04-10s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett1-1/+6
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett2-46/+63
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal New files and supporting logic for heimdal updateAndrew Bartlett1-0/+226
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett4-12/+44
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2009-11-13s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett3-14/+19
9291fd2d101f3eecec550178634faa94ead3e9a1)
2009-11-13s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett2-19/+16
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
2009-10-21heimdal - hdb/ext.c - fix a "shadows variable" warningMatthias Dieter Wallnöfer1-4/+4
Renamed the variable "str" in the nested block to "str2" to prevent the collision with "str" in the main function block.
2009-10-14s4:heimdal A real fix for bug 6801Andrew Bartlett1-3/+3
The issue was that we would free the entry after the database, not knowing that the entry was a talloc child of the database. Andrew Bartlett
2009-08-05s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett2-74/+98
8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-1/+6
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-27s4:heimdal Extend the 'hdb as a keytab' codeAndrew Bartlett1-4/+145
This extends the hdb_keytab code to allow enumeration of all the keys. The plan is to allow ktutil's copy command to copy from Samba4's hdb_samba4 into a file-based keytab used in wireshark. One day, with a few more hacks, we might even make this a loadable module that can be used directly... Andrew Bartlett
2009-07-16s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett10-63/+79
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett1-2/+4
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett9-94/+203
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2009-01-30heimdal:hdb: always include "config.h" firstStefan Metzmacher1-0/+4
metze
2008-10-28s4: import lorikeet-heimdal-200810271034Stefan Metzmacher10-387/+387
metze
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij1-3/+3
remove some unused functions.
2008-09-29Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.Andrew Bartlett2-14/+34
This avoids one more custom patch to the Heimdal code, and provides a more standard way to produce hdb plugins in future. I've renamed from hdb_ldb to hdb_samba4 as it really is not generic ldb. Andrew Bartlett
2008-08-26heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher12-29/+21
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
2008-08-26heimdal_build: autogenerate the heimdal private/proto headersStefan Metzmacher2-454/+0
Now it's possible to just use a plain heimdal tree in source/heimdal/ without any pregenerated files. metze (This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
2008-08-01heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher8-92/+98
metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
2008-03-19Merge lorikeet-heimdal -r 787 into Samba4 tree.Andrew Bartlett6-12/+298
Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
2007-10-10r23678: Update to current lorikeet-heimdal (-r 767), which should fix theAndrew Bartlett1-2/+10
panics on hosts without /dev/random. Andrew Bartlett (This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f)
2007-10-10r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett12-32/+154
Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
2007-10-10r20640: Commit part 2/2Andrew Bartlett2-19/+1
Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
2007-10-10r19632: This got missed in the heimdal merge. Without this, we don't keep theAndrew Bartlett1-1/+1
full database name. The existing code (needed for when we use the HDB as a keytab, such as for the kpasswd service) only works for HDB keytabs not prefixed with a type. Andrew Bartlett (This used to be commit 12dc157daea4a20200f910d8e71c49670e35ef50)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett8-44/+93
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r18031: Merge my replace fixes:Jelmer Vernooij1-1/+1
* libreplace can now build stand-alone * add stub testsuite for libreplace * make talloc/tdb/ldb use libreplace (This used to be commit fe7ca4b1454e01a33ed0d53791ebffdd349298b4)
2007-10-10r16056: Fix errors found by trying to use our kpasswd server and the Apple ↵Andrew Bartlett1-1/+1
client. Andrew Bartlett (This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
2007-10-10r15481: Update heimdal/ to match current lorikeet-heimdal.Andrew Bartlett8-50/+77
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
2007-10-10r15192: Update Samba4 to use current lorikeet-heimdal.Andrew Bartlett2-5/+6
Andrew Bartlett (This used to be commit f0e538126c5cb29ca14ad0d8281eaa0a715ed94f)
2007-10-10r14198: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett4-367/+9
Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett3-1/+286
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett6-81/+83
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12000: Update to current lorikeet-heimdal, including in particular supportAndrew Bartlett4-13/+385
for referencing an existing in-MEMORY keytab (required for the new way we push that to GSSAPI). Andrew Bartlett (This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett3-4/+8
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-3/+8
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11536: Add a hook for client-principal access control to hdb-ldb, re-usingAndrew Bartlett3-1/+33
the code in auth/auth_sam.c for consistancy. This will also allow us to have one place for a backend directory hook. I will use a very similar hook to add the PAC. Andrew Bartlett (This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
2007-10-10r11294: Update Heimdal in Samba4 to lorikeet-heimdal (which is in turn updatedAndrew Bartlett1-6/+8
to CVS of 2005-10-24). Andrew Bartlett (This used to be commit 939d4f340feaad15d0a6a5da79feba2b2558f174)
generated by cgit (git 2.34.1) at 2024-11-02 12:08:12 +0000