summaryrefslogtreecommitdiff
path: root/source4/heimdal
AgeCommit message (Collapse)AuthorFilesLines
2010-11-29heimdal:base/heimbase.c - remove an unused variableMatthias Dieter Wallnöfer1-1/+0
2010-11-17heimdal: added HEIM_BASE_NON_ATOMIC optionAndrew Tridgell1-1/+8
This allows heimdal to build without gcc, by not using atomic operations. We don't need heimdal to be atomic in Samba.
2010-11-17s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERYAndrew Tridgell1-1/+5
this e_data field in a kerberos error packet tells windows to do clock skew recovery. See [MS-KILE] 2.2.1 KERB-ERROR-DATA Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-16heimdal Build ticket with the canonical server nameAndrew Bartlett1-1/+1
We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett
2010-11-15heimdal Fetch the client before the PAC check, but after obtaining krbtgt_outAndrew Bartlett1-31/+30
By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
2010-11-15s4:heimdal - fix the return code of a non-void functionMatthias Dieter Wallnöfer1-0/+2
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
2010-11-15heimdal Fix handling of backwards cross-realm detection for Samba4Andrew Bartlett1-18/+48
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
2010-11-15heimdal Extra files required for merge up to current heimdalAndrew Bartlett29-0/+6699
2010-11-15heimdal regenate lex and yacc filesAndrew Bartlett9-3475/+2672
2010-11-15Add attribute macros for Heimdal to useAndrew Bartlett2-0/+477
Heimdal uses HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE, and we need to provide a link between these and Samba's function attribute handling. Andrew Bartlett
2010-11-15s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett47-11222/+1373
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
2010-11-12heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett3-11/+34
This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
2010-11-11heimdal Don't dereference NULL in error verify_checksum error pathAndrew Bartlett1-1/+1
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Nov 11 10:37:03 UTC 2010 on sn-devel-104
2010-11-08heimdal: fixed a shadowed variable warning for error_messageAndrew Tridgell1-23/+23
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-08heimdal Add clock-skew handling to DCE-style GSSAPIAndrew Bartlett1-39/+65
The clock skew handling was previously only on properly wrapped GSSAPI, and was skipped for DCE-style. This allows the ASN.1 errors from the krb5_rd_req to suggest parsing as a kerberos error packet. Andrew Bartlett Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 8 07:58:09 UTC 2010 on sn-devel-104
2010-11-02heimdal Add handling for PAC signatures over all encryption typesAndrew Bartlett2-24/+89
There are exceptions from the expected behaviour of 'checksum type matches key type' that we must deal with here, or else we can't serve DES-only servers. Andrew Bartlett
2010-10-31s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij5-227/+0
The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-30s4-heimdal: lex_err_message() should not be staticAndrew Tridgell1-2/+2
2010-10-30s4-heimdal: fixed the use of error_message() in heimdalAndrew Tridgell12-47/+49
the lex code in heimdal had a function error_message() which conflicts with a function from the com_err library. This replaces it with lex_err_message() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-03Add new files for sha512 supportAndrew Bartlett1-0/+274
2010-10-03s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett24-125/+418
1bea031b9404b14114b0272ecbe56e60c567af5c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou382-1687/+34153
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-10-02heimdal use returned server entry from HDB to compare realmsAndrew Bartlett1-1/+1
Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett
2010-09-30heimdal: added verbose logging of hemimdal crypto errorsAndrew Bartlett1-2/+15
2010-09-28heimdal: fixed timegm UTC/GMT bugAndrew Tridgell1-15/+6
This was a wonderful bug! On some Fedora systems, but not on Ubuntu, there is a difference between UTC and GMT. Heimdal replaced timegm() with _der_timegm() which did not account for that difference (which is 24 seconds at the moment). This led to a mutual authentication failure. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett3-1/+35
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
2010-09-29heimdal Fix DNS name qualification to not mangle IP addressesAndrew Bartlett1-5/+23
If the host running this code used IPv6 forms for IPv4 addreses then the check for '.' would not be sufficient to determine that this isn't a name we should mangle. Instead, check if it can be parsed as a numeric address first, and only then mangle. Andrew Bartlett
2010-09-29heimdal Add an error code for use in the RODCAndrew Bartlett1-0/+1
In this case, the whole request packet should be forwarded to a real KDC, with full secrets, as we don't have the password. This could also be used to implement 'play dead when the LDAP server is down'. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett7-19/+54
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-09-27heimdal: avoid DNS search domain expansion Andrew Tridgell1-1/+16
When you have a domain search list in resolv.conf, and one of the DNS servers for a searched domain is uncontactable then we would timeout resolving DNS names. Avoid this by adding a '.' to the hostname if the hostname already has a '.' in it, which we assume to mean it is fully qualified.
2010-06-01s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-05-11s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.cStefan Metzmacher1-659/+0
metze
2010-04-13s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-04-10s4:heimdal Create a new PAC when impersonating a user with S4U2SelfAndrew Bartlett1-4/+46
If we don't do this, the PAC is given for the machine accout, not the account being impersonated. Andrew Bartlett
2010-04-10s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett2-5/+42
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
2010-04-09s4-krb5: Fix typos in comment.Karolin Seeger1-1/+1
Karolin
2010-03-27s4:heimdal Use correct variable to advance past -- options in kpasswdAndrew Bartlett1-2/+2
This bug was introduced when kpasswd was migrated to a local getarg() call, in Heimdal commit 7dd146072cd9b56d660a01f4aa20f8d81be356e8 Andrew Bartlett
2010-03-27s4:heimal Update generated files (cp from Heimdal)Andrew Bartlett5-477/+459
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett39-257/+381
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal New files and supporting logic for heimdal updateAndrew Bartlett4-0/+1353
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett222-1939/+4091
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2010-03-16kerberos - set the memory to "0"s before freeing the password to prevent ↵Matthias Dieter Wallnöfer1-2/+6
security issues
2010-03-16heimdal - remove unused variableMatthias Dieter Wallnöfer1-1/+0
2010-03-16heimdal - fix overlapped identifiers in the "krb5" libraryMatthias Dieter Wallnöfer3-11/+11
2010-03-16heimdal - free always "ctx->password" when it isn't needed anymoreMatthias Dieter Wallnöfer1-1/+3
"strdup" does always create a new object in the memory (through "malloc") which needs to be freed if it isn't used anymore.
2010-02-15s4-heimdal: Fix typos in comment.Karolin Seeger1-1/+1
Karolin
2010-02-08s4:heimdal: regerenate filesStefan Metzmacher9-173/+218
Andrew using cp like in commit ca12e7bc8ff4a91f2044c0a60550fec902e97a78 is wrong as that removes #include "config.h" and breaks the build on AIX. metze
2009-12-14heimdal: work around differences between GNU and XSI strerror_r()Andrew Tridgell1-2/+10
This is a fairly ugly workaround, but then again, strerror_r() is a very ugly mess.
2009-12-08s4-heimdal: fixed a use-after-free heimdal bugAndrew Tridgell1-0/+1
This caused samba4kinit to segfault on some systems
2009-12-08krb5: Fix leaked hx509_context pointerKamen Mazdrashki1-0/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>