summaryrefslogtreecommitdiff
path: root/source4/heimdal
AgeCommit message (Collapse)AuthorFilesLines
2010-09-28heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett3-1/+35
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
2010-09-29heimdal Fix DNS name qualification to not mangle IP addressesAndrew Bartlett1-5/+23
If the host running this code used IPv6 forms for IPv4 addreses then the check for '.' would not be sufficient to determine that this isn't a name we should mangle. Instead, check if it can be parsed as a numeric address first, and only then mangle. Andrew Bartlett
2010-09-29heimdal Add an error code for use in the RODCAndrew Bartlett1-0/+1
In this case, the whole request packet should be forwarded to a real KDC, with full secrets, as we don't have the password. This could also be used to implement 'play dead when the LDAP server is down'. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett7-19/+54
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-09-27heimdal: avoid DNS search domain expansion Andrew Tridgell1-1/+16
When you have a domain search list in resolv.conf, and one of the DNS servers for a searched domain is uncontactable then we would timeout resolving DNS names. Avoid this by adding a '.' to the hostname if the hostname already has a '.' in it, which we assume to mean it is fully qualified.
2010-06-01s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-05-11s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.cStefan Metzmacher1-659/+0
metze
2010-04-13s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-04-10s4:heimdal Create a new PAC when impersonating a user with S4U2SelfAndrew Bartlett1-4/+46
If we don't do this, the PAC is given for the machine accout, not the account being impersonated. Andrew Bartlett
2010-04-10s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett2-5/+42
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
2010-04-09s4-krb5: Fix typos in comment.Karolin Seeger1-1/+1
Karolin
2010-03-27s4:heimdal Use correct variable to advance past -- options in kpasswdAndrew Bartlett1-2/+2
This bug was introduced when kpasswd was migrated to a local getarg() call, in Heimdal commit 7dd146072cd9b56d660a01f4aa20f8d81be356e8 Andrew Bartlett
2010-03-27s4:heimal Update generated files (cp from Heimdal)Andrew Bartlett5-477/+459
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett39-257/+381
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal New files and supporting logic for heimdal updateAndrew Bartlett4-0/+1353
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett222-1939/+4091
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2010-03-16kerberos - set the memory to "0"s before freeing the password to prevent ↵Matthias Dieter Wallnöfer1-2/+6
security issues
2010-03-16heimdal - remove unused variableMatthias Dieter Wallnöfer1-1/+0
2010-03-16heimdal - fix overlapped identifiers in the "krb5" libraryMatthias Dieter Wallnöfer3-11/+11
2010-03-16heimdal - free always "ctx->password" when it isn't needed anymoreMatthias Dieter Wallnöfer1-1/+3
"strdup" does always create a new object in the memory (through "malloc") which needs to be freed if it isn't used anymore.
2010-02-15s4-heimdal: Fix typos in comment.Karolin Seeger1-1/+1
Karolin
2010-02-08s4:heimdal: regerenate filesStefan Metzmacher9-173/+218
Andrew using cp like in commit ca12e7bc8ff4a91f2044c0a60550fec902e97a78 is wrong as that removes #include "config.h" and breaks the build on AIX. metze
2009-12-14heimdal: work around differences between GNU and XSI strerror_r()Andrew Tridgell1-2/+10
This is a fairly ugly workaround, but then again, strerror_r() is a very ugly mess.
2009-12-08s4-heimdal: fixed a use-after-free heimdal bugAndrew Tridgell1-0/+1
This caused samba4kinit to segfault on some systems
2009-12-08krb5: Fix leaked hx509_context pointerKamen Mazdrashki1-0/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-11-24heimdal Fix invalid format stringAndrew Bartlett1-1/+1
2009-11-17s4:heimdal: import lorikeet-heimdal-200911170333 (commit ↵Andrew Bartlett9-25/+8
b532c294d974cead40a1183c71be644c6ccc2832) This fixes up connections to Windows 2003, because the previous import had a broken arcfour-hmac-md5 implementation (fixed in Heimdal 316fc6ff8ffb0cbb1ef3689685e9977c37405bc4) Andrew Bartlett
2009-11-13s4:heimdal Import generated files from heimdal treeAndrew Bartlett9-827/+1185
We should be able to rebuild these, but a cp is easier :-)
2009-11-13s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett59-646/+1168
9291fd2d101f3eecec550178634faa94ead3e9a1)
2009-11-13s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett137-2178/+4114
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
2009-10-21heimdal - hdb/ext.c - fix a "shadows variable" warningMatthias Dieter Wallnöfer1-4/+4
Renamed the variable "str" in the nested block to "str2" to prevent the collision with "str" in the main function block.
2009-10-14s4:heimdal A real fix for bug 6801Andrew Bartlett1-3/+3
The issue was that we would free the entry after the database, not knowing that the entry was a talloc child of the database. Andrew Bartlett
2009-10-03heimdal kerberos - fix memory leak (free the plugin list always - not only ↵Matthias Dieter Wallnöfer1-1/+1
in error cases)
2009-10-03heimdal - fix various warningsMatthias Dieter Wallnöfer7-24/+24
- Shadowed variables - "const" related warnings - Parameter names which shadow function declarations - Non-void functions which have no return value (patch also ported upstream)
2009-09-18s4:heimdal/gssapi/krb5: set cred_handle in _gsskrb5_import_credStefan Metzmacher1-0/+1
metze
2009-08-06s4:heimdal: import lorikeet-heimdal-200908052208 (commit ↵Andrew Bartlett33-117/+31
370a73a74199a5a55188340906e15fd795f67a74) This removes some of the portability changes made to code under heimdal/ If these are still required, then we will re-add them with code under heimdal_build/ (so that we can simply 'drop in' future heimdal releases). Andrew Bartlett
2009-08-05s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett48-366/+1115
8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett3-19/+27
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-27s4:heimdal Extend the 'hdb as a keytab' codeAndrew Bartlett1-4/+145
This extends the hdb_keytab code to allow enumeration of all the keys. The plan is to allow ktutil's copy command to copy from Samba4's hdb_samba4 into a file-based keytab used in wireshark. One day, with a few more hacks, we might even make this a loadable module that can be used directly... Andrew Bartlett
2009-07-17s4:heimdal: import lorikeet-heimdal-200907162216 (commit ↵Andrew Bartlett6-23/+60
d09910d6803aad96b52ee626327ee55b14ea0de8) This includes in particular changes to the KDC to resolve bug 6272, originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We need to sort the AuthorizationData elements to put the PAC first, or else WinXP breaks when browsed from Win2k8. Andrew Bartlett
2009-07-16s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett67-590/+1210
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
2009-07-16s4:heimdal The implied GSS_C_MUTUAL_FLAG depends on AP_OPTS_MUTUAL_REQUIREDAndrew Bartlett1-1/+4
We had previously assumed it was unconditional. Samba3 didn't mind very much, but Samba4's samba3-like client did, and the behaviour differed to Win2008 behaviour. Andrew Bartlett
2009-07-06s4:heimdal: readd heimdal/lib/asn1/asn1parse.y which was parse.y before the ↵Stefan Metzmacher9-175/+1185
last import Also commit the regenerated files for systems without yacc and lex. This fixes the build with automatic dependecies for me. metze
2009-07-03heimdal: don't include <ifaddrs.h> without knowing it's thereBjörn Jacke1-0/+2
this is 73dbbe0d54 re-added. abartlet, please pick this to lorikeet.
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett3-24/+32
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett6-27/+35
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett315-7002/+9362
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2009-06-08s4:heimdal: fix build on FreeBSDBjörn Jacke1-0/+3
Patch from Timur I. Bakeyev sent to samba-technical: Heimdal requires openpty() presence. FreeBSD has in in standard libc, so autodetection works, but compilation fails, as declaration of this function is missing. This patch adds proper header detection and inclusion for openpty().
2009-02-24Fix the build. Looks like no one ever compiled this on a systemJeremy Allison2-0/+14
with a libintl.h before. Jeremy.
2009-02-24Start fixing Solaris build failures.Jeremy Allison2-2/+2
Jeremy.