Age | Commit message (Collapse) | Author | Files | Lines |
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
This extends the hdb_keytab code to allow enumeration of all the keys.
The plan is to allow ktutil's copy command to copy from Samba4's
hdb_samba4 into a file-based keytab used in wireshark.
One day, with a few more hacks, we might even make this a loadable
module that can be used directly...
Andrew Bartlett
|
|
d09910d6803aad96b52ee626327ee55b14ea0de8)
This includes in particular changes to the KDC to resolve bug 6272,
originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We
need to sort the AuthorizationData elements to put the PAC first, or
else WinXP breaks when browsed from Win2k8.
Andrew Bartlett
|
|
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
|
|
We had previously assumed it was unconditional. Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.
Andrew Bartlett
|
|
last import
Also commit the regenerated files for systems without yacc and lex.
This fixes the build with automatic dependecies for me.
metze
|
|
this is 73dbbe0d54 re-added. abartlet, please pick this to lorikeet.
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
Patch from Timur I. Bakeyev sent to samba-technical:
Heimdal requires openpty() presence. FreeBSD has in in standard libc, so
autodetection works, but compilation fails, as declaration of this function is
missing.
This patch adds proper header detection and inclusion for openpty().
|
|
with a libintl.h before.
Jeremy.
|
|
Jeremy.
|
|
metze
|
|
metze
|
|
metze
|
|
This should fix a build problem on IRIX.
metze
|
|
This should fix problems with the IRIX build.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
(This was not entered in lorikeet-heimdal.diff, so missed by metze's import).
Andrew Bartlett
|
|
support for the underlying functions now.
|
|
metze
|
|
remove some unused functions.
|
|
smaba4kpasswd will be used to test the kpasswdd componet of the KDC
(which is up until now untested), and rkpty is an expect-like wrapper
we can use to blackbox that utility.
Andrew Bartlett
|
|
|
|
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.
I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.
Andrew Bartlett
|
|
(This used to be commit cc1df3c002e6af25add3c8ae20e7efc2ab6f2fa8)
|
|
(This used to be commit 9db5a966fce0b71a0d2167b4aff70cc081abc1cc)
|
|
metze
(This used to be commit 0c4227e45d6b8e31a0219358042318e9d2a0b36d)
|
|
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.
metze
(This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
|
|
Now it's possible to just use a plain heimdal tree in source/heimdal/
without any pregenerated files.
metze
(This used to be commit da333ca7113f78eeacab4f93b401f075114c7d88)
|
|
metze
(This used to be commit f4cfba26aebb18fecdb50478bec9c07d4910ab3b)
|
|
metze
(This used to be commit 8d6d96898dcc948aa0ee004eaeb48dc847946361)
|
|
metze
(This used to be commit 94cef56212d7d7c1150aea760dba24bda7190442)
|
|
This remove a difference against lorikeet-heimdal.
metze
(This used to be commit 4314df3561dfe60228db0af220549300b0137c85)
|
|
This reverts commit 86848dd0f217774faed81af8fbf68618013e20a1.
This should come back via a merge from heimdal's trunk later.
metze
(This used to be commit 585e5360e2d9f722e80850eb86c3d4253530e8ba)
|
|
This reverts commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8.
This isn't strictly needed and will come back in the next merge
from heimdal's trunk.
metze
(This used to be commit 8ed040c8c4bed082ab74ab267090b35bb57db3f3)
|
|
used service key"
This reverts commit dbb94133e0313cae933d261af0bf1210807a6d11.
As we fixed gensec_gssapi to only return a session key when it's
have the correct session key, this hack isn't needed anymore.
metze
(This used to be commit 697cd1896bccaa55ee422f17d9312d787ca699ed)
|
|
For non cfx keys it's the same as the intiator subkey.
This matches windows behavior.
metze
(This used to be commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8)
|
|
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.
metze
(This used to be commit 0fa41a94e466d5e11bcf362ccd8ff41b72733d1a)
|
|
service key
With this patch samba4 can use gsskrb5_get_subkey() to get the session key.
metze
(This used to be commit dbb94133e0313cae933d261af0bf1210807a6d11)
|
|
Only the des keys are tested as windows doesn't support des3
metze
(This used to be commit 86848dd0f217774faed81af8fbf68618013e20a1)
|
|
metze
(This used to be commit b395cd7acdb3ca5b25368fbbad0606efe4699d04)
|
|
metze
(This used to be commit 3bd7e68a5cfe80733782367e327b570d04b21586)
|
|
metze
(This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
|
|
metze
(This used to be commit f10c9ca3612d7bdc4c2c221e959f8c48ec2f9349)
|
|
metze
(This used to be commit d88be1a1cb543b4e2cc5d15262da786558aa276d)
|
|
Windows (and heimdal) accepts packets with token header
in the server, but it doesn't match the windows client.
We now match the windows client and that fixes
also the display in wireshark.
metze
(This used to be commit 58f66184f0f732a78e86bbb0f3c29e920f086d08)
|