summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
AgeCommit message (Collapse)AuthorFilesLines
2008-10-20Add samba4kpasswd and rkpty binariesAndrew Bartlett1-0/+66
smaba4kpasswd will be used to test the kpasswdd componet of the KDC (which is up until now untested), and rkpty is an expect-like wrapper we can use to blackbox that utility. Andrew Bartlett
2008-09-03Merge krb5_cksumtype_to_enctype from Heimdal svn -r 23719Andrew Bartlett1-32/+70
(This used to be commit cc1df3c002e6af25add3c8ae20e7efc2ab6f2fa8)
2008-08-28Don't wipe the PAC checksums, the caller may actually need them.Andrew Bartlett1-14/+0
(This used to be commit 9db5a966fce0b71a0d2167b4aff70cc081abc1cc)
2008-08-26heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher90-830/+1096
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
2008-08-26heimdal_build: autogenerate the heimdal private/proto headersStefan Metzmacher2-4624/+0
Now it's possible to just use a plain heimdal tree in source/heimdal/ without any pregenerated files. metze (This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
2008-08-26heimdal: remove unused old filesStefan Metzmacher1-458/+0
metze (This used to be commit 94cef56212d7d7c1150aea760dba24bda7190442)
2008-08-26heimdal_build: add a fake sqlite keytab implementationStefan Metzmacher1-2/+0
This remove a difference against lorikeet-heimdal. metze (This used to be commit 4314df3561dfe60228db0af220549300b0137c85)
2008-08-14Revert "krb5: always generate the acceptor subkey as the same enctype as the ↵Stefan Metzmacher1-3/+0
used service key" This reverts commit dbb94133e0313cae933d261af0bf1210807a6d11. As we fixed gensec_gssapi to only return a session key when it's have the correct session key, this hack isn't needed anymore. metze (This used to be commit 697cd1896bccaa55ee422f17d9312d787ca699ed)
2008-08-08krb5: always generate the acceptor subkey as the same enctype as the used ↵Stefan Metzmacher1-0/+3
service key With this patch samba4 can use gsskrb5_get_subkey() to get the session key. metze (This used to be commit dbb94133e0313cae933d261af0bf1210807a6d11)
2008-08-01heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher64-1565/+2803
metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
2008-03-19Merge lorikeet-heimdal -r 787 into Samba4 tree.Andrew Bartlett44-487/+1969
Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
2007-10-10r24614: Merge with current lorikeet-heimdal. This brings us one step closerAndrew Bartlett16-128/+242
to an alpha release. Andrew Bartlett (This used to be commit 30e02747d511630659c59eafec8d28f58605943b)
2007-10-10r23678: Update to current lorikeet-heimdal (-r 767), which should fix theAndrew Bartlett15-175/+481
panics on hosts without /dev/random. Andrew Bartlett (This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f)
2007-10-10r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett93-331/+683
Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
2007-10-10r22191: Add a samba4kinit binary to the build, so I can test using an existingAndrew Bartlett2-0/+253
ccache, as well as PKINIT. Andrew Bartlett (This used to be commit 440b8d9e4b09d5e8c943504ade85c17f752fe705)
2007-10-10r21438: create the PAC element in the same order as w2k3,Stefan Metzmacher1-7/+7
maybe there's some broken code in windows which relies on this... love: can you merge this to heimdal? metze (This used to be commit b64abf9113a939308dc9e92ff7ddaad7be6ab551)
2007-10-10r20640: Commit part 2/2Andrew Bartlett24-171/+1637
Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
2007-10-10r19681: Update to current lorikeet-heimdal. I'm looking at using the realmAndrew Bartlett8-13/+491
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO implementation. Andrew Bartlett (This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
2007-10-10r19663: merge changes from lorikeet heimdal:Stefan Metzmacher1-22/+52
support for netbios domain based realms metze (This used to be commit dcec6eebf1b474ae3055449efebf491b1106a458)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett4-48/+81
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett6-83/+304
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19606: Remove generated filesAndrew Bartlett3-463/+0
Andrew Bartlett (This used to be commit 7b7e1fe15358d9ed1893305fbf8a1010293ed772)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett35-741/+1888
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r18826: Allow 'enterprise' principal names to log in.Andrew Bartlett5-14/+30
These principals do not need to be in the same realm as the rest of the ticket, the full principal name is in the first componet of the ASN.1. Samba4's backend will handle getting this to the 'right' place. Andrew Bartlett (This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
2007-10-10r16100: Patch from Michael Wood <mwood@icts.uct.ac.za>: s/then/than/ for ↵Gerald Carter5-6/+6
correct grammar (This used to be commit 26a2fa97e4c819e630bc9b50e11c8d5328c7b8c8)
2007-10-10r15515: Syncronsise with current lorikeet-heimdal.Andrew Bartlett2-173/+13
Andrew Bartlett (This used to be commit 0132312124260f74001546a34ff96db89d72b7f6)
2007-10-10r15484: Make accept_security_context() more compatible with how Samba3 (andAndrew Bartlett1-1/+2
similarly built clients) behave. This is better than just ignoring the checksum, if it isn't the GSSAPI checksum. (Samba4 clients in Samba3 mode use more than just the MD5 checksum, and will use a signed AES checksum if available. Actual samba3 may well do the same in future, against a suitable KDC). Also a change for easier debugging of checksum issues. Andrew Bartlett (This used to be commit 120374f5f9e9af0653a26e0308e4bfdabbcaa3f3)
2007-10-10r15481: Update heimdal/ to match current lorikeet-heimdal.Andrew Bartlett20-107/+358
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
2007-10-10r15192: Update Samba4 to use current lorikeet-heimdal.Andrew Bartlett30-1552/+594
Andrew Bartlett (This used to be commit f0e538126c5cb29ca14ad0d8281eaa0a715ed94f)
2007-10-10r14635: - Remove lex.c from SVN (it is built anyway, and having it in SVNAndrew Bartlett6-117/+112
confuses things) - Update Samba4 from lorikeet-heimdal - Remove generated symlink on make clean Andrew Bartlett (This used to be commit a5c2b4cc92e807d18cb8df99bebf004fa4252e1e)
2007-10-10r14198: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett11-250/+168
Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-0/+3
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12696: Reduce the size of include/structs.hJelmer Vernooij1-0/+3
(This used to be commit 63917616016133c623fc6ff59454bc313ee7dd8f)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett8-40/+48
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12037: Fix malloc corruption caused by double-free(), where realloc(ptr, 0)Andrew Bartlett1-3/+9
is equivilant to free(). This is the issue tridge was seeing in the MEMORY: keytab code. Andrew Bartlett (This used to be commit d5a2de8ef06a08274d25ab005f2a68ec32e226f0)
2007-10-10r12000: Update to current lorikeet-heimdal, including in particular supportAndrew Bartlett5-9/+105
for referencing an existing in-MEMORY keytab (required for the new way we push that to GSSAPI). Andrew Bartlett (This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett6-24/+102
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett3-8/+29
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11542: Add the netbios name type. We will need it when we start to handleAndrew Bartlett1-0/+1
allowedWorkstations on Krb5. Andrew Bartlett (This used to be commit dbf73a82fc7d1f82e2ad45e545cefdd9a5b24215)
2007-10-10r11529: Disable DNS lookups for forwarded credentials, unless really, reallyAndrew Bartlett1-34/+41
wanted. There is nothing that suggests that the host we forward credentials to will not have other interfaces, unassoicated with their service name. Likewise, the name may be a netbios, not DNS name. This should avoid some nasty DNS lookups. Andrew Bartlett (This used to be commit da0ff19856a8f41eb64787990d47d2961824711d)
2007-10-10r11469: Fix typo, and use the correct (RFC4120) session key for delegatingAndrew Bartlett2-11/+13
credentials. This means we now delegate to windows correctly. Andrew Bartlett (This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913)
2007-10-10r11452: Update Heimdal to current lorikeet, including removing the ccache sideAndrew Bartlett1-2/+4
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
2007-10-10r11314: Use a patch from lha to have the kerberos libs extract the PAC, ratherAndrew Bartlett1-10/+148
than doing ASN.1 parsing in Samba. Also use the API function for getting a client from a ticket, rather than just digging in the structure. Andrew Bartlett (This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
2007-10-10r11294: Update Heimdal in Samba4 to lorikeet-heimdal (which is in turn updatedAndrew Bartlett13-445/+1079
to CVS of 2005-10-24). Andrew Bartlett (This used to be commit 939d4f340feaad15d0a6a5da79feba2b2558f174)
2007-10-10r10983: Another case were we want to avoid DNS for unqualified names.Andrew Bartlett1-1/+8
Andrew Bartlett (This used to be commit 1d7094b8dfd53dfda55db7ce30f47f74864093bf)
2007-10-10r10561: This patch takes over KDC socket routines in Heimdal, and directs themAndrew Bartlett4-8/+61
at the Samba4 socket layer. The intention here is to ensure that other events may be processed while heimdal is waiting on the KDC. The interface is designed to be sufficiently flexible, so that the plugin may choose how to time communication with the KDC (ie multiple outstanding requests, looking for a functional KDC). I've hacked the socket layer out of cldap.c to handle this very specific case of one udp packet and reply. Likewise I also handle TCP, stolen from the winbind code. This same plugin system might also be useful for a self-contained testing mode in Heimdal, in conjunction with libkdc. I would suggest using socket-wrapper instead however. Andrew Bartlett (This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
2007-10-10r10398: Don't do DNS lookups on short names (no .).Andrew Bartlett1-0/+5
Andrew Bartlett (This used to be commit 77aca9619d24a8e118f53bcd1a1e54b8437812a8)
2007-10-10r10386: Merge current lorikeet-heimdal into Samba4.Andrew Bartlett6-104/+101
Andrew Bartlett (This used to be commit 4d2a9a9bc497eae269c24cbf156b43b8588e2f73)
2007-10-10r10382: In the absence of client support for the full KDC-sideAndrew Bartlett1-10/+23
canonicalisation code, I've hacked Heimdal to use the default realm if no other realm can be determined for a given host. Andrew Bartlett (This used to be commit 0f0b0021b7728ce75ca0060003a3d08264ead810)
2007-10-10r10337: This grubby little hack is the implementation of a concept discussedAndrew Bartlett3-0/+11
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at all for expanding short names into long names. Using the 'override krb5_init_context' code already in the tree, this removes the DNS lag on a kerberos session setup/connection. Andrew Bartlett (This used to be commit de3ceab3d064a286e8662a2b9b62b212f0454156)