summaryrefslogtreecommitdiff
path: root/source4/heimdal
AgeCommit message (Collapse)AuthorFilesLines
2012-02-10heimdal: Re-run lexyacc.shAndrew Bartlett10-6378/+2423
2012-01-12Revert "make paranoia check less paranoid" - check that key types strictly matchAndrew Bartlett1-1/+1
This reverts commit c25af51232616061bb08eea86aae595b4f029490 because otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Jan 12 09:43:07 CET 2012 on sn-devel-104
2012-01-12make hmac-md5 the keyed checksum type for arcfour-hmac-md5Andrew Bartlett1-1/+1
2012-01-12use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3Andrew Bartlett1-0/+8
This allows a strict link between checksum types and key types to be enforced. Andrew Bartlett
2012-01-12heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett1-12/+2
The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
2011-12-12HEIMDAL: Supply krb5_context to _krb5_internal_hmac to allow loggingAndrew Bartlett1-6/+6
Without this, log messages from any abort are not printed to the samba logs. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Dec 12 14:34:16 CET 2011 on sn-devel-104
2011-11-16HEIMDAL:lib/krb5: add utf8 support to build_logon_name() for the PACStefan Metzmacher1-18/+49
Pair-Programmed-With: Arvid Requate <requate@univention.de> metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Nov 16 02:00:12 CET 2011 on sn-devel-104
2011-11-16HEIMDAL:lib/wind: export wind_ucs2write()Stefan Metzmacher1-0/+1
Pair-Programmed-With: Arvid Requate <requate@univention.de> metze
2011-11-16HEIMDAL:lib/winbd: fix wind_ucs2write with WIND_RW_LEStefan Metzmacher1-4/+4
Pair-Programmed-With: Arvid Requate <requate@univention.de> metze
2011-11-16HEIMDAL:lib/wind: fix wind_ucs4utf8() and wind_ucs2utf8()Stefan Metzmacher1-5/+5
Pair-Programmed-With: Arvid Requate <requate@univention.de> metze
2011-10-04heimdal: handle referrals for 3 part DRSUAPI SPNsAndrew Tridgell1-1/+18
This handles referrals for SPNs of the form E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are used during DRS replication when we don't know the dnsHostName of the target DC (which we don't know until the first replication from that DC completes). We use the 3rd part of the SPN directly as the realm name in the referral. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-05heimdal: Try to handle the PAC checking when we are in a cross-realm environmentAndrew Bartlett1-1/+10
2011-07-26s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher42-115/+555
0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
2011-07-24s4:heimdal: build samba4kgetcredStefan Metzmacher1-0/+235
metze
2011-07-15s4:heimdal: add missing filesStefan Metzmacher5-0/+638
metze
2011-07-15s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher312-2505/+3559
48936803fae4a2fb362c79365d31f420c917b85b)
2011-06-28s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher1-4/+2
metze
2011-06-28HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher3-20/+41
function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
2011-06-28HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5Stefan Metzmacher1-2/+2
commit "heimdal Add support for extracting a particular KVNO from the database" (f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master) changed the windc_plugin interface, so we need to change the version number. metze
2011-06-24HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher1-4/+4
check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
2011-06-24HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher1-5/+19
This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
2011-06-24HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher1-1/+1
With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
2011-05-31heimdal: Remove getprogname and setprogname from the heimdal importAndrew Bartlett2-139/+0
2011-05-18HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy caseStefan Metzmacher1-13/+38
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
2011-05-18HEIMDAL:kdc: pass the correct principal name for the resulting service ticketStefan Metzmacher1-38/+36
Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
2011-05-18HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksumsStefan Metzmacher1-4/+7
For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
2011-04-16s4-heimdal: Allow any kvno to match when searching the keytab.Andrew Bartlett1-2/+1
Windows does not use a KVNO when it checks it's passwords, and MIT doesn't check the KVNO when no acceptor identity is specified (looping over all keys in the keytab). Andrew Bartlett
2011-03-14Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2Jelmer Vernooij55-2722/+6907
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
2011-03-04HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via ↵Stefan Metzmacher1-0/+5
tgs_parse_request() and _kdc_tgs_rep() metze
2011-02-25s4:heimdal - fix valgrind issue on Fedora 14Milan Crha6-148/+148
This should definitely fix bug #7858. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Feb 25 12:39:21 CET 2011 on sn-devel-104
2011-02-25Revert "heimdal_build omit #line statments to allow valgrind to work again"Matthias Dieter Wallnöfer7-53/+376
This reverts commit 80e23c68d83a7c9989f87d5a88a78bb76d222afc. A better patch has been provided by Milan Crha in the following commit.
2011-02-25heimdal_build omit #line statments to allow valgrind to work againAndrew Bartlett7-376/+53
The lex/yacc files were generated on Fedora 14, and have empty filenames in #line declarations. I don't know why this is, but it seems best just to omit the #line statements. This is what was causing Valgrind on Fedora not to run on Samba binaries and programs linked to Samba libraries. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 25 11:46:56 CET 2011 on sn-devel-104
2011-02-17heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as wellAndrew Bartlett1-2/+1
This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
2011-02-02s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett54-185/+192
aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
2010-12-18heimdal_build: Add version-script for heimdal_base, hx509 and hcrypto. ↵Jelmer Vernooij1-0/+244
Convert hbase and hcrypto to libraries.
2010-12-17heimdal_build: Add version-script for krb5.Jelmer Vernooij1-0/+769
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri Dec 17 21:09:25 CET 2010 on sn-devel-104
2010-12-17heimdal_build: Add version-script for gssapi.Jelmer Vernooij1-0/+180
2010-12-17heimdal_build: Add version-script for asn1.Jelmer Vernooij1-0/+6
2010-12-17heimdal_build: Add version-script for hdb.Jelmer Vernooij1-0/+107
2010-12-17heimdal_build: Add version-script for kdc.Jelmer Vernooij1-0/+21
2010-12-17heimdal_build: Add version-script for wind.Jelmer Vernooij1-0/+28
2010-12-17heimdal_build: Add version-script for ntlm.Jelmer Vernooij1-0/+30
2010-12-17heimdal: Add version script file for hcrypto (unused so far, as hcrypto ↵Jelmer Vernooij1-0/+299
still needs to be made a proper library).
2010-12-17heimdal_build: Add version-script for roken.Jelmer Vernooij1-0/+199
2010-12-17heimdal_build: Add version-script for com_err.Jelmer Vernooij2-0/+48
2010-12-11heimdal: unset SLIST_ENTRY only if we are with windowsMatthieu Patou1-1/+3
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX. The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform is broken because mechqueue.h's definition won't be used as SLIST_HEAD is already defined. The definition occurs when net/if.h is included as it includes sys/queue.h Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
2010-12-01s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett76-3707/+2651
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
2010-12-01heimdal: fix for w2000 from lhaAndrew Tridgell1-2/+14
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Dec 1 00:59:59 CET 2010 on sn-devel-104
2010-11-29heimdal:base/heimbase.c - remove an unused variableMatthias Dieter Wallnöfer1-1/+0
2010-11-17heimdal: added HEIM_BASE_NON_ATOMIC optionAndrew Tridgell1-1/+8
This allows heimdal to build without gcc, by not using atomic operations. We don't need heimdal to be atomic in Samba.