summaryrefslogtreecommitdiff
path: root/source4/kdc/hdb-ldb.c
AgeCommit message (Collapse)AuthorFilesLines
2008-08-26Only allow the trust in the correct direction (per the flags).Andrew Bartlett1-3/+9
(This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)
2008-08-15Trusted domains implementation for the KDC.Andrew Bartlett1-12/+193
At this stage, only arcfour-hmac-md5 trusts are used, and all trusts are presumed bi-directional. Much more work still to be done. Andrew Bartlett (This used to be commit 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8)
2008-08-08More work towards trusted domain support in the KDC.Andrew Bartlett1-25/+93
(This used to be commit c87d732b23ad7de8dc2f824bf11c9310fb4184e1)
2008-08-05Start implementind domain trusts in our KDC.Andrew Bartlett1-7/+33
Andrew Bartlett (This used to be commit 8aba7c36231e58a91fbc6b4fc24c5693353aeef9)
2008-07-24hdb-ldb: fix the callers after drsblobs.idl changesStefan Metzmacher1-45/+30
metze (This used to be commit 1223cd17c79d130b46b0e0ccb0f6011c92441173)
2008-07-23hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to ↵Stefan Metzmacher1-16/+114
Primary:Kerberos Now provide AES tickets if we find the keys in the supplementalCredentials attribute metze (This used to be commit 8300259f103f8cfe014988fad0f7ee0d49bb1ac2)
2008-07-23hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATUREStefan Metzmacher1-0/+6
metze (This used to be commit 7219740ef434091617c6bb727374251987ff2a62)
2008-07-23hdb-ldb: fix comment about paddingStefan Metzmacher1-1/+1
metze (This used to be commit ca28d05b11e602e0f98cda0e02f973562c199dc6)
2008-07-23hdb-ldb: fix crash bug in the error pathStefan Metzmacher1-0/+1
metze (This used to be commit ac02d6a0f765e3b66fb6796f129edb1a348ecd84)
2008-06-04kdc: we don't need any *_locl.h header from heimdal in the kdcStefan Metzmacher1-3/+1
metze (This used to be commit feca16dd6d03730b4a67adf5d912ba2d5e1a3025)
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-2/+4
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-03-25Remove useless extra argument to samdb_result_account_expires().Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit bc607c334ff86624b891886a6f874da2bcff113e)
2008-03-07Update account expiration to use new samdb_result_account_expires() function.Andrew Kroeger1-3/+2
(This used to be commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4)
2008-02-21Remove yet more uses of global_loadparm.Jelmer Vernooij1-2/+2
(This used to be commit e01c1e87c0fe9709df7eb5b863f7ce85564174cd)
2008-02-21Remove more uses of global_loadparm.Jelmer Vernooij1-0/+1
(This used to be commit a1715b1f48ba44bd94844418cc9299649aaf1a5e)
2008-02-21Remove more uses of global_loadparm.Jelmer Vernooij1-1/+2
(This used to be commit 230355d2e6e27918dff40823eb238904c7a1870e)
2008-02-21Avoid use of global_loadparm.Jelmer Vernooij1-4/+6
(This used to be commit c5a95bbe0ce55c29e135a9c6058bf192ec3bb546)
2008-01-01r26639: librpc: Pass iconv convenience on from RPC connection to NDR ↵Jelmer Vernooij1-2/+2
library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
2007-12-21r26314: Eliminate use of global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit aa98a1781c76b352494e65fbc87629fe544c1f73)
2007-12-21r26277: Move loadparm context higher up the stack.Jelmer Vernooij1-1/+1
(This used to be commit 38fa08310ce573e9b46e76c840ddda6f18863573)
2007-12-21r26274: Some syntax fixes, remove more global_loadparm instances.Jelmer Vernooij1-1/+3
(This used to be commit 3809113d86dbd35b906356a05bb481a1e2bfe4b7)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-1/+1
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij1-1/+1
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-7/+7
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-10-10r25430: Add the loadparm context to all parametric options.Jelmer Vernooij1-1/+1
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)
2007-10-10r25035: Fix some more warnings, use service pointer rather than service ↵Jelmer Vernooij1-1/+1
number in more places. (This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r24061: Anther part of bug #4823, which is that until now Samba4 didn't parseAndrew Bartlett1-26/+3
the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
2007-10-10r23503: use hdb_dbc not hdb_openp.Andrew Bartlett1-8/+7
Andrew Bartlett (This used to be commit 3a21304de04fa20198d5a863ffd0804a308dccb9)
2007-10-10r23488: hdb_openp has changed from void * to int...Stefan Metzmacher1-4/+5
lha: what is the reason for this? it's really bad to use an int for storing a pointer value... metze (This used to be commit 625a6598566761121f16e47e88bdd0fbb0f2846c)
2007-10-10r21441: create a union for the PrimaryKerberosBlob contentStefan Metzmacher1-13/+23
so that ndr_pull will fail if version isn't 3 and we notice if the format changes... metze (This used to be commit 91f7a094cfd04405c224b9579146d814cba507b3)
2007-10-10r21434: - get rid of "krb5Key"Stefan Metzmacher1-49/+132
- use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
2007-10-10r21390: move fetching the key version number into the functionStefan Metzmacher1-2/+2
which contrusts the keys... later we need to get the key version number from the "replPropertyMetaData" attribute entry to the (I assume) the "unicodePwd" attribute. msDs-KeyVersionNumber is a constructed attribute, and is "1" when no "supplementalCredentials" is present. we need to make some tests with a password change function which don't give a cleartext to the server... metze (This used to be commit 9e4324221764c1413be34d5b14915a86740acc04)
2007-10-10r21363: fallback to fetch the KEYTYPE_ARCFOUR out of the "unicodePwd" attributeStefan Metzmacher1-38/+86
when no krb5key attribute is present or it doesn't contain the KEYTYPE_ARCFOUR key. metze (This used to be commit b4af29da700a71fe021c5f31cad31a494d884e07)
2007-10-10r21330: move fetching of krb5 keys into its own functionStefan Metzmacher1-47/+66
metze (This used to be commit 0f1eb00b418eabef5881f94d8df2b4d61f1dc1ef)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-6/+2
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.Andrew Bartlett1-0/+25
The reason is long and complex, but is due to forwardable tickets: We would extract the forwardable ticket from the GSSAPI payload, and look for the expiry time of the ticket for krbtgt/REALM@REALM. However, with -r 19662 the ticket is given to the client as being for krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is case sensitive for realms, and bails out. (It should just not store the forwarded ticket). We need to co-ordinate changes in the KDC with relaxation of checks in Heimdal, and a better kerberos behaviour testsuite. Andrew Bartlett (This used to be commit be4c1a36b0e31cbb680d55e8d933818dc3c7435b)
2007-10-10r20034: Start using ldb_search_exp_fmt()Simo Sorce1-12/+6
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-10/+14
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19662: windows 2003 kdc's only rewrite the realm to the full form,Stefan Metzmacher1-27/+1
when the client is using the netbios domain name as realm. we should match this and not rewrite the principal. This matches what windows give: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4 administrator@SERNOXDOM4's Password: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist Credentials cache: FILE:/tmp/krb5cc_10000 Principal: administrator@SERNOXDOM4.MX.BASE Issued Expires Principal Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE Note: I need to disable the principal checks in heimdal's _krb5_extract_ticket() for the kinit to work. Any ideas how to change heimdal to support this. For the service principal we should use the realm and principal in req->kdc_rep.enc_part instead of the unencrypted req->kdc.ticket.sname and req->kdc.ticket.realm to have a trusted value. I'm not sure what we can do with the client realm... metze (This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-2/+4
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+2
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19299: Fix possible memleaksSimo Sorce1-4/+1
(This used to be commit 6fad80bb09113a60689061a2de67711c9924708b)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-1/+1
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17824: add a wrapper for the common partitions_basedn calculationAndrew Tridgell1-2/+2
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-8/+8
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r16964: Remove extra debugs no longer required in a working KDCAndrew Bartlett1-26/+21
Implement the 'DES only' flag. Andrew Bartlett (This used to be commit 9d42bb4b3d2a45da02f0525386468161494852cd)
2007-10-10r16237: Use an appropriate basedn for these searches, so they occour into theAndrew Bartlett1-2/+4
correct partition. Andrew Bartlett (This used to be commit f661dafe4edcd017a8d3bda1a40ff8b0d7a1348e)