summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r19681: Update to current lorikeet-heimdal. I'm looking at using the realmAndrew Bartlett16-130/+974
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO implementation. Andrew Bartlett (This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
2007-10-10r19663: merge changes from lorikeet heimdal:Stefan Metzmacher1-22/+52
support for netbios domain based realms metze (This used to be commit dcec6eebf1b474ae3055449efebf491b1106a458)
2007-10-10r19650: Allow Samba to use Heimdal's SPNEGO code. Currently this can onlyAndrew Bartlett2-5/+4
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend by some means or other. Andrew Bartlett (This used to be commit 476452e143f61a3878a3646864729daaddccdf68)
2007-10-10r19644: Merge up to current lorikeet-heimdal, incling addingAndrew Bartlett10-73/+181
gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
2007-10-10r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in ↵Andrew Bartlett17-215/+466
favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
2007-10-10r19632: This got missed in the heimdal merge. Without this, we don't keep theAndrew Bartlett1-1/+1
full database name. The existing code (needed for when we use the HDB as a keytab, such as for the kpasswd service) only works for HDB keytabs not prefixed with a type. Andrew Bartlett (This used to be commit 12dc157daea4a20200f910d8e71c49670e35ef50)
2007-10-10r19616: the heimdal spnego mech doesn't seem to use roken.h and isn't portableStefan Metzmacher1-0/+2
(it doesn't compile on suse 10.1 because gethostname() isn't found, unistd.h isn't included...) as we don't need the spnego mech, disable it till it gets fixed in heimdal metze (This used to be commit 0a52e11a9c34281c9ea284e007086b2ae6fce6c7)
2007-10-10r19615: include roken.h.in as this still includes the ifdef's we need in samba4Stefan Metzmacher2-276/+706
this should fix the portability of samba4 metze (This used to be commit 497543a17eaea16c3c7f379ed238e573427e28da)
2007-10-10r19613: remove diff between samba4 and lorikeetStefan Metzmacher1-0/+2
metze (This used to be commit bec1783c4c8ebba76c5467982c96e823491ce023)
2007-10-10r19612: fix the build with auto dependenciesStefan Metzmacher1-3/+0
the samba4 heimdal copy should do not need to use socket_wrapper metze (This used to be commit 704fe739406fb5eae38f4be9602b77be5ea1dff1)
2007-10-10r19606: Remove generated filesAndrew Bartlett3-463/+0
Andrew Bartlett (This used to be commit 7b7e1fe15358d9ed1893305fbf8a1010293ed772)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett231-9365/+22496
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19325: leak fix from lhaAndrew Tridgell1-1/+4
(This used to be commit 248f3265e6339f279691be5d17ca4ce733c6590d)
2007-10-10r18826: Allow 'enterprise' principal names to log in.Andrew Bartlett5-14/+30
These principals do not need to be in the same realm as the rest of the ticket, the full principal name is in the first componet of the ASN.1. Samba4's backend will handle getting this to the 'right' place. Andrew Bartlett (This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
2007-10-10r18528: work around what appears to be a compiler bug in gcc on irix. ItAndrew Tridgell1-1/+1
caused the RPC-SECRETS test to crash smbd in an inlined version of this memcmp() call. This patch should have absolutely no effect at all, but in fact it prevents the crash. Disassembling at the point of the crash, it shows that gcc is inlining the memcmp(). I don't know enough MIPS assembler to actually spot the bug. In case anyone reading this does know MIPS assembler, here is the gcc generated code that crashes: 0x105e0218 <gssapi_krb5_verify_header+168>: lw $t1,52($sp) 0x105e021c <gssapi_krb5_verify_header+172>: lw $t1,0($t1) 0x105e0220 <gssapi_krb5_verify_header+176>: lhu $t1,0($t1) 0x105e0224 <gssapi_krb5_verify_header+180>: lw $t2,68($sp) 0x105e0228 <gssapi_krb5_verify_header+184>: lhu $t2,0($t2) 0x105e022c <gssapi_krb5_verify_header+188>: subu $t1,$t1,$t2 it gets a segv at 0x105e0220. lha, what do you think of this? The change should be innocuous on all other platforms, apart from making the code harder to read :( (This used to be commit 95455b57893c99d6d2dc20c4f75042ae4c1cfe85)
2007-10-10r18322: fixed a compilation problem on AIX caused by lex not putting config.hAndrew Tridgell2-1/+3
first. That leads to a conflicting define for lseek() due to _LARGE_FILES being defined after standards headers are included (This used to be commit 9034238e27f22a7077df9fa0d7c83cce4503aabc)
2007-10-10r18308: get this right ....Andrew Tridgell1-1/+1
(This used to be commit 3697cd6597875fe22f6885ce20612a32d0be2513)
2007-10-10r18300: fixed a type bug in heimdal - lha, you happy with this upstream? ItAndrew Tridgell1-1/+1
showed up on ia_64 systems (This used to be commit 1f38a7ea56944466d90622832e4570dc324adc4e)
2007-10-10r18204: darn, compilers always look in the directory the source is in forAndrew Tridgell18-18/+18
headers with "" even with a -I override. That means our heimdal_build/ roken override doesn't work. Switching to <> style includes in roken fixes this. lha, would be be acceptable upstream? I notice that half your includes of roken.h are with <> now anyway, so should be harmless (and even more consistent!) (This used to be commit 92742b899941687c861a85683ad2c2c6a3083fb6)
2007-10-10r18031: Merge my replace fixes:Jelmer Vernooij2-578/+777
* libreplace can now build stand-alone * add stub testsuite for libreplace * make talloc/tdb/ldb use libreplace (This used to be commit fe7ca4b1454e01a33ed0d53791ebffdd349298b4)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-587/+777
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r16235: Don't update minor_status when cleaning up on error. This restoresAndrew Bartlett1-2/+2
sensible log messages to gensec_gssapi. Andrew Bartlett (This used to be commit df2e4f061f3bc82930dfcdbb75b775939ae8832e)
2007-10-10r16100: Patch from Michael Wood <mwood@icts.uct.ac.za>: s/then/than/ for ↵Gerald Carter6-8/+8
correct grammar (This used to be commit 26a2fa97e4c819e630bc9b50e11c8d5328c7b8c8)
2007-10-10r16056: Fix errors found by trying to use our kpasswd server and the Apple ↵Andrew Bartlett1-1/+1
client. Andrew Bartlett (This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
2007-10-10r16000: - use uint16_t instead of u_int16_tStefan Metzmacher1-5/+6
- use int32_t for seq_number both changes let us use the types which the main heimdal code uses metze (This used to be commit ecff7b70aadb9ac27731a5b44aa20b49ac82321a)
2007-10-10r15993: don't use u_int32_t, as the main heimdal code also don't useStefan Metzmacher2-5/+5
it anymore metze (This used to be commit e1842c9b55ffd0792fea2cff37b812d319c76f1f)
2007-10-10r15953: our timegm() replacement still doesn't work, so grab the one fromAndrew Tridgell1-71/+0
Heimdal which does work. This should fix most of the rest of the failures on solaris (This used to be commit acfaa98b5ea686feb81350baf09b3f4480f96edc)
2007-10-10r15515: Syncronsise with current lorikeet-heimdal.Andrew Bartlett5-182/+21
Andrew Bartlett (This used to be commit 0132312124260f74001546a34ff96db89d72b7f6)
2007-10-10r15491: Always initialise is_cfx (found by Valgrind)Andrew Bartlett1-1/+3
Always remember to free the crypto context (found by Luke Howard) (This used to be commit 4b44355d42592f4acaae459c6ae09dd928f083b7)
2007-10-10r15484: Make accept_security_context() more compatible with how Samba3 (andAndrew Bartlett3-16/+46
similarly built clients) behave. This is better than just ignoring the checksum, if it isn't the GSSAPI checksum. (Samba4 clients in Samba3 mode use more than just the MD5 checksum, and will use a signed AES checksum if available. Actual samba3 may well do the same in future, against a suitable KDC). Also a change for easier debugging of checksum issues. Andrew Bartlett (This used to be commit 120374f5f9e9af0653a26e0308e4bfdabbcaa3f3)
2007-10-10r15481: Update heimdal/ to match current lorikeet-heimdal.Andrew Bartlett54-321/+613
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
2007-10-10r15192: Update Samba4 to use current lorikeet-heimdal.Andrew Bartlett60-3447/+2687
Andrew Bartlett (This used to be commit f0e538126c5cb29ca14ad0d8281eaa0a715ed94f)
2007-10-10r15155: Add strsep replacement from heimdal 0.7.2 for systems that don'tJames Peach1-0/+61
have strsep in libc. (This used to be commit 76dea9f68ca9be909c45979c9e5510133e4f2264)
2007-10-10r14949: re-add the two lex.c files for heimdal, these are needed for systemsAndrew Tridgell2-0/+4520
that don't have bison/flex. If we auto-generate these on samba.org we can delete these again. (This used to be commit dca9003ec27747cf7a584ee67fd222ab22601494)
2007-10-10r14707: Initialise default value (the rest of this function sets it to 1 ifAndrew Bartlett1-0/+1
this is CFX). Caught by Valgrind. Andrew Bartlett (This used to be commit bdb55ce2b57adf3b7c6eb1455c3775d013c72e5d)
2007-10-10r14635: - Remove lex.c from SVN (it is built anyway, and having it in SVNAndrew Bartlett9-4320/+113
confuses things) - Update Samba4 from lorikeet-heimdal - Remove generated symlink on make clean Andrew Bartlett (This used to be commit a5c2b4cc92e807d18cb8df99bebf004fa4252e1e)
2007-10-10r14605: Create heimdal/lib/des/hcrypto symlink if it doesn't existJelmer Vernooij1-1/+0
(This used to be commit 303832bdc90f371c68185773009d143d1acf93ae)
2007-10-10r14281: Pull apart LIBDIR and MODULESDIRJelmer Vernooij2-120/+249
Move architecture-independent data to DATADIR (was LIBDIR) (This used to be commit 2c7b62a861f702067e8df4c3239ac7e377631a15)
2007-10-10r14198: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett58-677/+2999
Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
2007-10-10r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.Andrew Bartlett3-2/+62
We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
2007-10-10r13144: This seems to be required for Samba4 to talk to Samba4, and to get theAndrew Bartlett1-0/+11
same session key. I need to understand this more, but it works samba/samba, and I don't have access to windows doing AES (longhorn) yet. Andrew Bartlett (This used to be commit 38809b43a5d6bd668e9cb714573dc1e72ceff092)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett4-1/+289
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12863: As lha suggested to me a while back, it appears that theAndrew Bartlett3-48/+2
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
2007-10-10r12696: Reduce the size of include/structs.hJelmer Vernooij1-0/+3
(This used to be commit 63917616016133c623fc6ff59454bc313ee7dd8f)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett20-433/+554
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12037: Fix malloc corruption caused by double-free(), where realloc(ptr, 0)Andrew Bartlett1-3/+9
is equivilant to free(). This is the issue tridge was seeing in the MEMORY: keytab code. Andrew Bartlett (This used to be commit d5a2de8ef06a08274d25ab005f2a68ec32e226f0)
2007-10-10r12000: Update to current lorikeet-heimdal, including in particular supportAndrew Bartlett12-26/+504
for referencing an existing in-MEMORY keytab (required for the new way we push that to GSSAPI). Andrew Bartlett (This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett17-208/+244
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett4-11/+37
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11542: Add the netbios name type. We will need it when we start to handleAndrew Bartlett1-0/+1
allowedWorkstations on Krb5. Andrew Bartlett (This used to be commit dbf73a82fc7d1f82e2ad45e545cefdd9a5b24215)