Age | Commit message (Collapse) | Author | Files | Lines |
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
allowedWorkstations on Krb5.
Andrew Bartlett
(This used to be commit dbf73a82fc7d1f82e2ad45e545cefdd9a5b24215)
|
|
Andrew Bartlett
(This used to be commit 6bb1b244284a209ebcb50c17ad59d4528658da0b)
|
|
the code in auth/auth_sam.c for consistancy. This will also allow us
to have one place for a backend directory hook.
I will use a very similar hook to add the PAC.
Andrew Bartlett
(This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
|
|
wanted. There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name. Likewise, the name may be a netbios, not DNS name.
This should avoid some nasty DNS lookups.
Andrew Bartlett
(This used to be commit da0ff19856a8f41eb64787990d47d2961824711d)
|
|
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
(This used to be commit e60cdb63fb37e44252f83a56a6302f0bd22dec4d)
|
|
credentials. This means we now delegate to windows correctly.
Andrew Bartlett
(This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913)
|
|
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
(This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
|
|
Andrew Bartlett
(This used to be commit 0a4194118974bdde4e10fd32578a5beeb6e768ce)
|
|
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
(This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
|
|
(This used to be commit a0b4036ba6ae423bab3ec698d3e404f03bb0f9d5)
|
|
have easy access to the event context.
This stops Samba dead-locking against itself when the winbindd client
tries to contact the KDC.
Andrew Bartlett
(This used to be commit 57f811115ed768ea1f170dcd71038398bf2ab6e9)
|
|
than doing ASN.1 parsing in Samba.
Also use the API function for getting a client from a ticket, rather
than just digging in the structure.
Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
|
|
to CVS of 2005-10-24).
Andrew Bartlett
(This used to be commit 939d4f340feaad15d0a6a5da79feba2b2558f174)
|
|
Andrew Bartlett
(This used to be commit 1d7094b8dfd53dfda55db7ce30f47f74864093bf)
|
|
at the Samba4 socket layer.
The intention here is to ensure that other events may be processed while
heimdal is waiting on the KDC. The interface is designed to be
sufficiently flexible, so that the plugin may choose how to time
communication with the KDC (ie multiple outstanding requests, looking
for a functional KDC).
I've hacked the socket layer out of cldap.c to handle this very
specific case of one udp packet and reply. Likewise I also handle
TCP, stolen from the winbind code.
This same plugin system might also be useful for a self-contained
testing mode in Heimdal, in conjunction with libkdc. I would suggest
using socket-wrapper instead however.
Andrew Bartlett
(This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
|
|
Andrew Bartlett
(This used to be commit 77aca9619d24a8e118f53bcd1a1e54b8437812a8)
|
|
Andrew Bartlett
(This used to be commit 4d2a9a9bc497eae269c24cbf156b43b8588e2f73)
|
|
canonicalisation code, I've hacked Heimdal to use the default realm if
no other realm can be determined for a given host.
Andrew Bartlett
(This used to be commit 0f0b0021b7728ce75ca0060003a3d08264ead810)
|
|
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at
all for expanding short names into long names.
Using the 'override krb5_init_context' code already in the tree, this
removes the DNS lag on a kerberos session setup/connection.
Andrew Bartlett
(This used to be commit de3ceab3d064a286e8662a2b9b62b212f0454156)
|
|
the other
ideas I have had.
When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.
(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).
Andrew Bartlett
(This used to be commit 8a22d46e70e9f863831aba0c9913d195f833d625)
|
|
(This used to be commit 5767c05909c9927b3a806614b1f1bd2f90a35dd3)
|
|
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
|
|
Andrew Bartlett
(This used to be commit b9695d5e7cc052a952d8d60bc1ab08e00f4827e8)
|
|
Andrew Bartlett
(This used to be commit c17926b6fe278fd757862885f82fd342b755167c)
|
|
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
|
|
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)
This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.
This patch also tries to simplify some principal handling and fixes some
error cases.
Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.
Andrew Bartlett
(This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
|
|
lorikeet-heimdal
to Samba4.
Andrew Bartlett
(This used to be commit 6835e427907bf52f7fdd332b726ffa47041853de)
|
|
Merge these norealm functions from lorikeet-heimdal.
Andrew Bartlett
(This used to be commit 6aef275efd7f434f65824eb3dd129c8e5efd8731)
|
|
Andrew Bartlett
(This used to be commit cc35cd5ee2abbd6be01dc1ea66eca0bd48a6f636)
|
|
to Heimdal CVS as of 2005-08-27).
Andrew Bartlett
(This used to be commit 913924a4997f5e14c503f87510cbd8e4bfd965a9)
|
|
Delete test_crypto_wrapping.c, previously included but unbuilt.
Andrew Bartlett
(This used to be commit d5fb30fb0cef330e0947969f0c9afc1f58fc4c7d)
|
|
This is my first attempt at this, so there may be a few rough edges.
Andrew Bartlett
(This used to be commit 9a1d2f2fec67930975da856a2d365345cec46216)
|
|
metze
(This used to be commit 60e2d58685ee50f90d6ad2ce2609a3c0b433ae10)
|
|
metze
(This used to be commit 1008459a98a8232f039b87c91443d653858e0500)
|
|
this should fix the build on solaris 10
lha can that be merged to the main heimdal if that apears to not break
the build on other platforms
metze
(This used to be commit cb0259627976c10906016233fb27a1d05ae7e4b0)
|
|
(This used to be commit 903d963ca8fdefa23eaa77b5117d90b6b84866ab)
|
|
(This used to be commit 87f7098ee3a24be202b6aaa1ab2a4e44b7b89975)
|
|
(This used to be commit 59c3de6ca8b8e153e5cfd67da5f2afc2e23d36db)
|
|
that uses the Samba
interfaces list. This makes heimdal obey the 'interfaces=' smb.conf option, and should also
fix the portability problems with the heimdal code
(This used to be commit ba621d1c554e135f449a144019b84719a086e04f)
|
|
fashion to yapp for pidl
if they are installed, then we rebuild the generated files, otherwise
we use the ones in svn
(This used to be commit 6ab503b7cc902b8691dc80907bb44f1f705ab8ee)
|
|
(This used to be commit 118be28a7aef233799956615a99d1a2a74dac175)
|