summaryrefslogtreecommitdiff
path: root/source4/kdc/db-glue.c
AgeCommit message (Collapse)AuthorFilesLines
2011-10-04s4-kdc: fixed handling of previous vs current trust passwordAndrew Tridgell1-36/+77
This sorts out the correct handling for the 'kvno=255' problem. Windows will use the previous trust password for 1 hour after a password set, and indicates that the previous password is being used by sending current_kvno-1. That maps to 255 if the trust password has not actually been changed, so the initial trust password is being used. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04s4-kdc: don't look at global catalog NCs in the kdcAndrew Tridgell1-10/+13
the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04s4-kdc: treat a kvno of 255 as unspecifiedAndrew Tridgell1-1/+4
windows sometimes sends us a kvno of 255 for inter-domain trusts. We don't yet know why it does this, but it seems that we need to treat this as an unspecified kvno Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-22s4-kdc: set NO_GLOBAL_CATALOG control in kdcAndrew Tridgell1-3/+5
the kdc doesn't want to find users who are in partialReplica partitions, as they won't have the needed secret info for the kdc to operate. We need to generate referrals instead Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-19s4-kdc: default kvno for inter-domain trusts to zeroAndrew Tridgell1-1/+9
the exact value doesn't matter, as both Samba and windows check against the latest password, but the old default of -1 caused ASN.1 parsing errors on windows, which prevented it answering TGS requests thanks to Hongwei Sun for finding this from a ttt trace Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-25s4-kdc: fixed subtree search in KDCAndrew Tridgell1-1/+3
use ldb_get_default_basedn() with a subtree search Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-02s4:kdc: fix compiler warningStefan Metzmacher1-1/+1
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Aug 2 06:06:15 CEST 2011 on sn-devel-104
2011-07-26s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is givenStefan Metzmacher1-2/+7
Windows seems to always canonicalize the principal in TGS replies. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
2011-06-24s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher1-0/+105
metze
2011-05-18s4:kdc: split s4u2self and s4u2proxy checksStefan Metzmacher1-9/+20
metze
2011-05-18s4:kdc: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION => ↵Stefan Metzmacher1-0/+14
flags.trusted_for_delegation metze
2011-04-05kdc: always ldb escape the realmAndrew Bartlett1-1/+11
2011-03-19source4/kdc: Fix prototypes for all functions.Jelmer Vernooij1-0/+2
2011-03-04s4:kdc: fix calculation of the rodc kvnoStefan Metzmacher1-4/+12
Bit shifting is non-trivial in C:-) This int32_t a = 0x12340000; uint32_t b = (a >> 16); results in 0x00001234, but this int32_t a = 0xEDCB0000; uint32_t b = (a >> 16); results in 0xFFFFEDCB, while we expected 0x0000EDCB. metze
2011-01-14s4-kdc: don't ask for an extended DN for krbtgt_dnAndrew Tridgell1-1/+1
otherwise msg->dn would be non-minimal and would fail in searches Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-12s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer1-9/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
2010-12-09s4-lsa Implement kerberos ticket life policyAndrew Bartlett1-2/+24
We now no longer print tickets with a potentially infinite life, and we report the same life over LSA as we use in the KDC. We should get this from group policy, but for now it's parametric smb.conf options. Andrew Bartlett
2010-12-03s4/kdc - fix a warning regarding a changed parameter type (kvno)Matthias Dieter Wallnöfer1-1/+1
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
2010-11-16s4-kdc Rework supported encryption type logic to match MicrosoftAndrew Bartlett1-37/+16
Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
2010-11-16s4-kdc Fix the realm handling again, this time pay attention to the flagsAndrew Bartlett1-20/+20
The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
2010-11-16s4-kdc use 'flags' to only create the 'admin data' elements when requestedAndrew Bartlett1-15/+19
This avoids setting these values when the caller simply does not care Andrew Bartlett
2010-11-16s4-kdc Add 'flags' parameter to db fetch callsAndrew Bartlett1-8/+35
This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett
2010-11-15s4-kdc Fix realm handling in our KDCAndrew Bartlett1-38/+6
we should reset the realm part of the principal, but not the lowercase realm embedded in the 'krbtgt/realm@REALM'. Andrew Bartlett
2010-11-12s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODCAndrew Bartlett1-1/+7
This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett
2010-10-18s4:"util_ldb" - remove some really unused dependanciesMatthias Dieter Wallnöfer1-1/+0
2010-10-17Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer1-0/+1
in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer1-1/+0
"dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-10samdb: Add flags argument to samdb_connect().Jelmer Vernooij1-1/+1
2010-10-05s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer1-3/+3
It doesn't change much but it's nicer to have it consistent.
2010-10-03s4:kdc/db-glue.c - remove unused variableMatthias Dieter Wallnöfer1-1/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 3 17:30:34 UTC 2010 on sn-devel-104
2010-10-03s4-kdc Remove special case kerberos restriction in the KDCAndrew Bartlett1-16/+0
We should avoid using Kerberos or any other recursive auth mechanism in ldb backends, but denying Kerberos here won't be enough, so remove the special case. (Typcially we bind using a different password space and DIGEST-MD5 or NTLM). Andrew Bartlett
2010-10-02s4-kdc Rework 'allowed encryption types' handling in the KDCAndrew Bartlett1-28/+44
All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett
2010-09-28s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett1-5/+24
the krbtgt role). Andrew Bartlett
2010-09-29s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett1-17/+48
This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
2010-09-29s4-kdc Add common setup, handle RODC setup caseAndrew Bartlett1-0/+135
This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-29s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett1-1/+18
Andrew Bartlett
2010-09-16s4-kdc: prevent segfault on bad trust stringsAndrew Tridgell1-4/+8
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.Günther Deschner1-7/+7
Also remove bogus trustCurrentPasswords struct which we just had because our IDL was incorrect. Guenther
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-9/+9
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-29s4:kdc Rework the 'allowed enc types' calculationAndrew Bartlett1-41/+35
This changes the calculation to apply the allowed enc types to all uses of the key (no point allowing a weak kinit to a key the server wanted strongly protected). It also ensures that all the non-DES keys are available on the krbtgt in particular, even as it does not have a msds-SupportedEncryptionTypes attributes. Andrew Bartlett
2010-06-23s4:kdc Use msDS-SupportedEncTypes in our KDCAndrew Bartlett1-30/+54
We need to honour this, otherwise we will send AES-encrypted tickets to unprepared Kerberos targets. Andrew Bartlett
2010-06-20s4:kdc/db-glue.c - remove unreachable codeMatthias Dieter Wallnöfer1-4/+0
Would be nice if someone could check if this fits.
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-6/+5
2010-04-17s4:kdc/db-glue.c - use "TALLOC_FREE" insteal of "talloc_free" for the "priv" ↵Matthias Dieter Wallnöfer1-5/+5
context Also after a free "priv" could be != NULL and may be freed again. This should fix bug #7365.
2010-04-12s4:kdc/db-glue.c - fix integer counter typesMatthias Dieter Wallnöfer1-6/+7
2010-04-10s4:kdc Add functions to hdb-samba4 for the new s4u2self callback.Andrew Bartlett1-5/+7
For now, this shares the 'if it's the same host' system with the constrained delegation code. Andrew Bartlett
2010-02-16s4-dsdb: removed gendb_search_single_extended_dn()Andrew Tridgell1-13/+16
Use dsdb_search_one() instead, which allows for arbitrary controls Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-12s4:kdc Fill in created_by principal fieldSimo Sorce1-4/+7
2010-02-12s4:kdc Fix double free and uninitialized memory.Simo Sorce1-2/+13
In samba_kdc_trust_message2entry() on error, hdb_free_entry() may end up trying to access uninitialized memory or double free the hdb_entry.