Age | Commit message (Collapse) | Author | Files | Lines |
|
This commit applies some cosmetic corrections for the KERBEROS library.
|
|
|
|
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
|
|
(This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)
|
|
At this stage, only arcfour-hmac-md5 trusts are used, and all trusts
are presumed bi-directional. Much more work still to be done.
Andrew Bartlett
(This used to be commit 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8)
|
|
(This used to be commit c87d732b23ad7de8dc2f824bf11c9310fb4184e1)
|
|
Andrew Bartlett
(This used to be commit 8aba7c36231e58a91fbc6b4fc24c5693353aeef9)
|
|
metze
(This used to be commit 1223cd17c79d130b46b0e0ccb0f6011c92441173)
|
|
Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute
metze
(This used to be commit 8300259f103f8cfe014988fad0f7ee0d49bb1ac2)
|
|
metze
(This used to be commit 7219740ef434091617c6bb727374251987ff2a62)
|
|
metze
(This used to be commit ca28d05b11e602e0f98cda0e02f973562c199dc6)
|
|
metze
(This used to be commit ac02d6a0f765e3b66fb6796f129edb1a348ecd84)
|
|
metze
(This used to be commit feca16dd6d03730b4a67adf5d912ba2d5e1a3025)
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
Andrew Bartlett
(This used to be commit bc607c334ff86624b891886a6f874da2bcff113e)
|
|
(This used to be commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4)
|
|
(This used to be commit e01c1e87c0fe9709df7eb5b863f7ce85564174cd)
|
|
(This used to be commit a1715b1f48ba44bd94844418cc9299649aaf1a5e)
|
|
(This used to be commit 230355d2e6e27918dff40823eb238904c7a1870e)
|
|
(This used to be commit c5a95bbe0ce55c29e135a9c6058bf192ec3bb546)
|
|
library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
|
|
(This used to be commit aa98a1781c76b352494e65fbc87629fe544c1f73)
|
|
(This used to be commit 38fa08310ce573e9b46e76c840ddda6f18863573)
|
|
(This used to be commit 3809113d86dbd35b906356a05bb481a1e2bfe4b7)
|
|
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
|
|
further up the call stack.
(This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
|
|
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
|
|
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/
metze
(This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
|
|
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)
|
|
number in more places.
(This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
the logon hours, even if set.
This code happily stolen from the great work in Samba3 :-)
Andrew Bartlett
(This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
|
|
Andrew Bartlett
(This used to be commit 3a21304de04fa20198d5a863ffd0804a308dccb9)
|
|
lha: what is the reason for this? it's really bad to use
an int for storing a pointer value...
metze
(This used to be commit 625a6598566761121f16e47e88bdd0fbb0f2846c)
|
|
so that ndr_pull will fail if version isn't 3 and we notice
if the format changes...
metze
(This used to be commit 91f7a094cfd04405c224b9579146d814cba507b3)
|
|
- use "sambaPassword" only as virtual attribute for passing
the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
exacly how longhorn stores them. use password_hash:create_aes_key=yes
to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
if configured
TODO:
- find out how longhorn stores aes keys
- find out how the Primary:WDigest blob needs to be constructed
(not supported by w2k)
metze
(This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
|
|
which contrusts the keys...
later we need to get the key version number from the
"replPropertyMetaData" attribute entry to the (I assume)
the "unicodePwd" attribute.
msDs-KeyVersionNumber is a constructed attribute,
and is "1" when no "supplementalCredentials" is present.
we need to make some tests with a password change function
which don't give a cleartext to the server...
metze
(This used to be commit 9e4324221764c1413be34d5b14915a86740acc04)
|
|
when no krb5key attribute is present or it doesn't contain the KEYTYPE_ARCFOUR
key.
metze
(This used to be commit b4af29da700a71fe021c5f31cad31a494d884e07)
|
|
metze
(This used to be commit 0f1eb00b418eabef5881f94d8df2b4d61f1dc1ef)
|
|
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.
We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk. This is much easier than
listing every generated .o file individually.
This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts. I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.
The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller. In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.
(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).
Andrew Bartlett
(This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
|
|
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
(This used to be commit be4c1a36b0e31cbb680d55e8d933818dc3c7435b)
|
|
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
|
|
- ldb_dn_get_linearized
returns a const string
- ldb_dn_alloc_linearized
allocs astring with the linearized dn
(This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
|
|
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
|
|
when the client is using the netbios domain name as realm.
we should match this and not rewrite the principal.
This matches what windows give:
metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:
metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE
Issued Expires Principal
Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE
Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.
Any ideas how to change heimdal to support this.
For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.
I'm not sure what we can do with the client realm...
metze
(This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
|
|
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
(This used to be commit 6fad80bb09113a60689061a2de67711c9924708b)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
|