Age | Commit message (Collapse) | Author | Files | Lines |
|
Thanks to Hongwei Sun for the clear description of the algorithim
involved. Importantly, it isn't possible to remove encryption types
from the list, only to add them over the defaults (DES and
arcfour-hmac-md5, and additional AES for DCs and RODCs).
This changes the behaviour for entries with
msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos
reported finding set by ADUC when attempting to store cleartext
passwords.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
|
|
The KDC sets different flags for the AS-REQ (this is client-depenent)
and the TGS-REQ to determine if the realm should be forced to the
canonical value. If we do this always, or do this never, we get into
trouble, so it's much better to honour the flags we are given.
Andrew Bartlett
|
|
This avoids setting these values when the caller simply does not care
Andrew Bartlett
|
|
This will allow these calls to honour the flags passed in from the KDC
Andrew Bartlett
|
|
we should reset the realm part of the principal, but not the lowercase
realm embedded in the 'krbtgt/realm@REALM'.
Andrew Bartlett
|
|
This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.
(The proxy code itself is not in this commit).
Andrew Bartlett
|
|
|
|
in "dsdb/common/util.c""
This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
|
|
"dsdb/common/util.c"
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
|
|
|
|
It doesn't change much but it's nicer to have it consistent.
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 3 17:30:34 UTC 2010 on sn-devel-104
|
|
We should avoid using Kerberos or any other recursive auth mechanism
in ldb backends, but denying Kerberos here won't be enough, so
remove the special case. (Typcially we bind using a different password
space and DIGEST-MD5 or NTLM).
Andrew Bartlett
|
|
All DCs and all krbtgt servers are forced to use AES, regardless
of the msDS-SecondaryKrbTgtNumber value.
Andrew Bartlett
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the krbtgt role).
Andrew Bartlett
|
|
This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.
Andrew Bartlett
|
|
This means we just set up the system_session etc in one place
and don't diverge between the MIT and Heimdal plugins.
We also now determine if we are an RODC and store some details
that we will need later.
Andrew Bartlett
|
|
Andrew Bartlett
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Also remove bogus trustCurrentPasswords struct which we just had because our IDL
was incorrect.
Guenther
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This changes the calculation to apply the allowed enc types to all
uses of the key (no point allowing a weak kinit to a key the server
wanted strongly protected). It also ensures that all the non-DES keys
are available on the krbtgt in particular, even as it does not have a
msds-SupportedEncryptionTypes attributes.
Andrew Bartlett
|
|
We need to honour this, otherwise we will send AES-encrypted tickets
to unprepared Kerberos targets.
Andrew Bartlett
|
|
Would be nice if someone could check if this fits.
|
|
|
|
context
Also after a free "priv" could be != NULL and may be freed again.
This should fix bug #7365.
|
|
|
|
For now, this shares the 'if it's the same host' system with the
constrained delegation code.
Andrew Bartlett
|
|
Use dsdb_search_one() instead, which allows for arbitrary controls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
In samba_kdc_trust_message2entry() on error, hdb_free_entry()
may end up trying to access uninitialized memory or double
free the hdb_entry.
|
|
|
|
Keep all heimdal related plugin code within hdb_samba4.c
Move interfaces needed by multiple plugins in db-glue.c
Move sequence context in main db context so that we do
not depend on db->hdb_dbc in the common code.
Remove unnecessary paremeters from function prototypes
|