Age | Commit message (Collapse) | Author | Files | Lines |
|
ccache, as well as PKINIT.
Andrew Bartlett
(This used to be commit 440b8d9e4b09d5e8c943504ade85c17f752fe705)
|
|
(This used to be commit 123ae858c77c2507bdac6a93be1e2932a3fd7375)
|
|
(This used to be commit 2694bfb143eeb78a9a0b121dbc6a3e0a908ca06c)
|
|
metze
(This used to be commit e4d69b83dcee2f50e95690d84f95d9e69acf858e)
|
|
love: please merge this
metze
(This used to be commit 3e4ff2de9c57170d275adf54ffa00ac81253a714)
|
|
metze
(This used to be commit ac347d7aa588574f6a18229083569608327874d8)
|
|
maybe there's some broken code in windows which relies
on this...
love: can you merge this to heimdal?
metze
(This used to be commit b64abf9113a939308dc9e92ff7ddaad7be6ab551)
|
|
the krbtgt hdb entry provides.
We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)
Love: I'm not sure if this is the correct way of doing it...
metze
(This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)
|
|
of KDC behaviour. This should allow PKINIT to be turned on and
managed with reasonable sanity.
This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.
Andrew Bartlett
(This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
|
|
(This used to be commit 42bb335bd50a5070ee59c9d9748db8a9e9d6a9b0)
|
|
(This used to be commit b3e2d4908781781a487eaeb683d22eb967e5597d)
|
|
(This used to be commit a4051a2d6537a536266ce7562cd6b833528dd263)
|
|
(This used to be commit 5870830b99a8d76bda1ff5af3fcf8dda9aba50ec)
|
|
Andrew Bartlett
(This used to be commit 12953ee765de1beeab547cb30ab292b77501d9c9)
|
|
before the last merge.
Andrew Bartlett
(This used to be commit 9e7124cc85ec9ed8291769689aa38ab14b3754d8)
|
|
Update Heimdal to match current lorikeet-heimdal. This includes
integrated PAC hooks, so Samba doesn't have to handle this any more.
This also brings in the PKINIT code, hence so many new files.
Andrew Bartlett
(This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
|
|
requested it!
this is needed to create plain, singed or sealed LDAP connections.
this should go into lorikeet and main heimdal...
metze
(This used to be commit 75c037cae21714e394a63f2506387e1049eb4406)
|
|
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO
implementation.
Andrew Bartlett
(This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64)
|
|
support for netbios domain based realms
metze
(This used to be commit dcec6eebf1b474ae3055449efebf491b1106a458)
|
|
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend
by some means or other.
Andrew Bartlett
(This used to be commit 476452e143f61a3878a3646864729daaddccdf68)
|
|
gsskrb5_set_default_realm(), which should fix mimir's issues.
Andrew Bartlett
(This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3)
|
|
favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c
Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
|
|
full database name. The existing code (needed for when we use the HDB
as a keytab, such as for the kpasswd service) only works for HDB
keytabs not prefixed with a type.
Andrew Bartlett
(This used to be commit 12dc157daea4a20200f910d8e71c49670e35ef50)
|
|
(it doesn't compile on suse 10.1 because gethostname() isn't found,
unistd.h isn't included...)
as we don't need the spnego mech, disable it till it gets fixed in heimdal
metze
(This used to be commit 0a52e11a9c34281c9ea284e007086b2ae6fce6c7)
|
|
this should fix the portability of samba4
metze
(This used to be commit 497543a17eaea16c3c7f379ed238e573427e28da)
|
|
metze
(This used to be commit bec1783c4c8ebba76c5467982c96e823491ce023)
|
|
the samba4 heimdal copy should do not need to use socket_wrapper
metze
(This used to be commit 704fe739406fb5eae38f4be9602b77be5ea1dff1)
|
|
Andrew Bartlett
(This used to be commit 7b7e1fe15358d9ed1893305fbf8a1010293ed772)
|
|
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
|
|
(This used to be commit 248f3265e6339f279691be5d17ca4ce733c6590d)
|
|
These principals do not need to be in the same realm as the rest of
the ticket, the full principal name is in the first componet of the
ASN.1.
Samba4's backend will handle getting this to the 'right' place.
Andrew Bartlett
(This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
|
|
caused the RPC-SECRETS test to crash smbd in an inlined version of
this memcmp() call. This patch should have absolutely no effect at
all, but in fact it prevents the crash.
Disassembling at the point of the crash, it shows that gcc is inlining
the memcmp(). I don't know enough MIPS assembler to actually spot the
bug. In case anyone reading this does know MIPS assembler, here is the
gcc generated code that crashes:
0x105e0218 <gssapi_krb5_verify_header+168>: lw $t1,52($sp)
0x105e021c <gssapi_krb5_verify_header+172>: lw $t1,0($t1)
0x105e0220 <gssapi_krb5_verify_header+176>: lhu $t1,0($t1)
0x105e0224 <gssapi_krb5_verify_header+180>: lw $t2,68($sp)
0x105e0228 <gssapi_krb5_verify_header+184>: lhu $t2,0($t2)
0x105e022c <gssapi_krb5_verify_header+188>: subu $t1,$t1,$t2
it gets a segv at 0x105e0220.
lha, what do you think of this? The change should be innocuous on all
other platforms, apart from making the code harder to read :(
(This used to be commit 95455b57893c99d6d2dc20c4f75042ae4c1cfe85)
|
|
first. That leads to a conflicting define for lseek() due to
_LARGE_FILES being defined after standards headers are included
(This used to be commit 9034238e27f22a7077df9fa0d7c83cce4503aabc)
|
|
(This used to be commit 3697cd6597875fe22f6885ce20612a32d0be2513)
|
|
showed up on ia_64 systems
(This used to be commit 1f38a7ea56944466d90622832e4570dc324adc4e)
|
|
headers with "" even with a -I override. That means our heimdal_build/
roken override doesn't work.
Switching to <> style includes in roken fixes this. lha, would be be
acceptable upstream? I notice that half your includes of roken.h are
with <> now anyway, so should be harmless (and even more consistent!)
(This used to be commit 92742b899941687c861a85683ad2c2c6a3083fb6)
|
|
* libreplace can now build stand-alone
* add stub testsuite for libreplace
* make talloc/tdb/ldb use libreplace
(This used to be commit fe7ca4b1454e01a33ed0d53791ebffdd349298b4)
|
|
clear what the conditions on this code are, and that the terms are GPL
compatible.
Andrew Bartlett
(This used to be commit 99ce2ecf396837caa812acf279f5156c50818373)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
sensible log messages to gensec_gssapi.
Andrew Bartlett
(This used to be commit df2e4f061f3bc82930dfcdbb75b775939ae8832e)
|
|
correct grammar
(This used to be commit 26a2fa97e4c819e630bc9b50e11c8d5328c7b8c8)
|
|
client.
Andrew Bartlett
(This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
|
|
- use int32_t for seq_number
both changes let us use the types which the main heimdal code uses
metze
(This used to be commit ecff7b70aadb9ac27731a5b44aa20b49ac82321a)
|
|
it anymore
metze
(This used to be commit e1842c9b55ffd0792fea2cff37b812d319c76f1f)
|
|
Heimdal which does work. This should fix most of the rest of the
failures on solaris
(This used to be commit acfaa98b5ea686feb81350baf09b3f4480f96edc)
|
|
Andrew Bartlett
(This used to be commit 0132312124260f74001546a34ff96db89d72b7f6)
|
|
Always remember to free the crypto context (found by Luke Howard)
(This used to be commit 4b44355d42592f4acaae459c6ae09dd928f083b7)
|
|
similarly built clients) behave.
This is better than just ignoring the checksum, if it isn't the GSSAPI
checksum. (Samba4 clients in Samba3 mode use more than just the MD5
checksum, and will use a signed AES checksum if available. Actual
samba3 may well do the same in future, against a suitable KDC).
Also a change for easier debugging of checksum issues.
Andrew Bartlett
(This used to be commit 120374f5f9e9af0653a26e0308e4bfdabbcaa3f3)
|
|
This includes many useful upstream changes, many of which should
reduce warnings in our compile.
It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.
(This required the rework in hdb-ldb.c included in this commit)
Andrew Bartlett
(This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
|
|
Andrew Bartlett
(This used to be commit f0e538126c5cb29ca14ad0d8281eaa0a715ed94f)
|