| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
1bea031b9404b14114b0272ecbe56e60c567af5c)
|
|
42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.
Andrew Bartlett
|
|
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
|
|
|
|
This was a wonderful bug!
On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.
Andrew Bartlett
|
|
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle. Instead, check if it can be parsed
as a numeric address first, and only then mangle.
Andrew Bartlett
|
|
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.
This could also be used to implement 'play dead when the LDAP
server is down'.
Andrew Bartlett
|
|
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett
|
|
When you have a domain search list in resolv.conf, and one of the DNS
servers for a searched domain is uncontactable then we would timeout
resolving DNS names.
Avoid this by adding a '.' to the hostname if the hostname already has
a '.' in it, which we assume to mean it is fully qualified.
|
|
Karolin
|
|
metze
|
|
Karolin
|
|
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
|
|
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
|
|
Karolin
|
|
This bug was introduced when kpasswd was migrated to a local getarg()
call, in Heimdal commit 7dd146072cd9b56d660a01f4aa20f8d81be356e8
Andrew Bartlett
|
|
|
|
f4e0dc17709829235f057e0e100d34802d3929ff)
|
|
|
|
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
|
|
security issues
|
|
|
|
|
|
"strdup" does always create a new object in the memory (through "malloc") which
needs to be freed if it isn't used anymore.
|
|
Karolin
|
|
Andrew using cp like in commit ca12e7bc8ff4a91f2044c0a60550fec902e97a78
is wrong as that removes #include "config.h" and breaks the build on AIX.
metze
|
|
This is a fairly ugly workaround, but then again, strerror_r() is a
very ugly mess.
|
|
This caused samba4kinit to segfault on some systems
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
b532c294d974cead40a1183c71be644c6ccc2832)
This fixes up connections to Windows 2003, because the previous import
had a broken arcfour-hmac-md5 implementation (fixed in Heimdal
316fc6ff8ffb0cbb1ef3689685e9977c37405bc4)
Andrew Bartlett
|
|
We should be able to rebuild these, but a cp is easier :-)
|
|
9291fd2d101f3eecec550178634faa94ead3e9a1)
|
|
290db8d23647a27c39b97c189a0b2ef6ec21ca69)
|
|
Renamed the variable "str" in the nested block to "str2" to prevent the collision
with "str" in the main function block.
|
|
The issue was that we would free the entry after the database, not
knowing that the entry was a talloc child of the database.
Andrew Bartlett
|
|
in error cases)
|
|
- Shadowed variables
- "const" related warnings
- Parameter names which shadow function declarations
- Non-void functions which have no return value
(patch also ported upstream)
|
|
metze
|
|
370a73a74199a5a55188340906e15fd795f67a74)
This removes some of the portability changes made to code under
heimdal/
If these are still required, then we will re-add them with code under
heimdal_build/ (so that we can simply 'drop in' future heimdal
releases).
Andrew Bartlett
|
|
8714779fa7376fd9f7761587639e68b48afc8c9c)
This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.
(Very reasonable, but not required for Samba4's use).
Andrew Bartlett
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
This extends the hdb_keytab code to allow enumeration of all the keys.
The plan is to allow ktutil's copy command to copy from Samba4's
hdb_samba4 into a file-based keytab used in wireshark.
One day, with a few more hacks, we might even make this a loadable
module that can be used directly...
Andrew Bartlett
|
|
d09910d6803aad96b52ee626327ee55b14ea0de8)
This includes in particular changes to the KDC to resolve bug 6272,
originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We
need to sort the AuthorizationData elements to put the PAC first, or
else WinXP breaks when browsed from Win2k8.
Andrew Bartlett
|
|
2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
|
|
We had previously assumed it was unconditional. Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.
Andrew Bartlett
|
|
last import
Also commit the regenerated files for systems without yacc and lex.
This fixes the build with automatic dependecies for me.
metze
|
|
this is 73dbbe0d54 re-added. abartlet, please pick this to lorikeet.
|
