summaryrefslogtreecommitdiff
path: root/source4/kdc/hdb-ldb.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13910: Fix the 'your password has expired' on every login. We now considerAndrew Bartlett1-7/+5
if the 'password does not expire' flag has been set, filling in the PAC and netlogon reply correctly if so. Andrew Bartlett (This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
2007-10-10r13252: Cleanup, both in code, comments and talloc use:Andrew Bartlett1-23/+12
In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2007-10-10r13207: Use the new API for using/not using kerbeors in hdb-ldb.cAndrew Bartlett1-5/+3
Update the rootdse module to use the new schema. Andrew Bartlett (This used to be commit b0b150d08ac39ed486071487826da2e306db6a0b)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-2/+19
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r13069: adding a hack on instructions from andrewAndrew Tridgell1-1/+2
(This used to be commit 65cf522b5e079de2cfd5fc989350cc127f6c5baa)
2007-10-10r12681: Allow an entry to have no kerberos keys. This occours when an entryAndrew Bartlett1-16/+24
is new, and has no password. It may also occour in the future if we allow PKINIT. In any case, it shouldn't segfault :-) Andrew Bartlett (This used to be commit 686fea241b7a8ca286099eadfa2ed177367dafdc)
2007-10-10r12631: Now we have fixed the provision script, we don't need to work aroundAndrew Bartlett1-1/+1
it here. Andrew Bartlett (This used to be commit f282fab6113cbd6a431139cbe7f021864f31c3d1)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-100/+20
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12362: Along with a cracknames change in the previous commit, this shouldAndrew Bartlett1-9/+15
allow Win2000 machines to again use kerberos with Samba4. Andrew Bartlett (This used to be commit 5770409dcd0151a7303b16c565b1f68845b8622d)
2007-10-10r12327: ENT_TYPE_ANY isn't used anywhere in Samba4, so don't implement it in ↵Andrew Bartlett1-21/+7
hdb-ldb. Andrew Bartlett (This used to be commit 96e124b7bb9a916bbdfbfa36d24a1dafa262c552)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett1-104/+90
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12179: Allow our KDC to use LDAP to get to the backend database.Andrew Bartlett1-11/+32
To avoid a circular depenency, it is not allowed to use Krb5 as an authentication mechanism, so this must be removed from the list. An extension to the credentials system allows this function. Also remove proto.h use for any of the KDC, and use NTSTATUS returns in more places. Andrew Bartlett (This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
2007-10-10r12036: Fix more KDC memory leaks (and there are probably still more...).Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit 0c4ea6f6413e260a15c0afe331a066ea7051fd9f)
2007-10-10r12035: Fix memory leaks in the KDC.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit b60531b109cf9539a9d58d46436f397346352cee)
2007-10-10r11987: Clarify the accountExpires behaviour in the KDC.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit 05334e98fb1658965a822517365a86bc3906378b)
2007-10-10r11572: Add support for accountExpires and password expiry (should cause theAndrew Bartlett1-2/+32
ticket to be reduced in validity). Andrew Bartlett (This used to be commit 5575a1443b5225140f401bde7f897f96dfe73b39)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-34/+36
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11544: Allow delegation in a Samba4 realm.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit c4a9d025d6485c19bf1f2e98f83ac68b276247e4)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-79/+52
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11536: Add a hook for client-principal access control to hdb-ldb, re-usingAndrew Bartlett1-11/+93
the code in auth/auth_sam.c for consistancy. This will also allow us to have one place for a backend directory hook. I will use a very similar hook to add the PAC. Andrew Bartlett (This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-43/+22
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11524: More work on our hdb backend in the KDC.Andrew Bartlett1-116/+78
The aim here is to restructure the queries to match the queries we do in auth, then to share the code that does the actual query (at least for user logins). Then we can generate the PAC from that shared query, rather than a seperate query. Andrew Bartlett (This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
2007-10-10r11333: Push service principal lookups into the cracknames code, rather thanAndrew Bartlett1-166/+92
in the hdb-ldb code. Andrew Bartlett (This used to be commit f71149c88d9648f5b2b1d1480dc8d45c551b0231)
2007-10-10r11322: Start moving towards using the cracknames code in the KDC.Andrew Bartlett1-26/+70
Andrew Bartlett (This used to be commit cf67af421686e7a89334e10296a3a07c1f8f6298)
2007-10-10r11206: It appears to me that any account may operate as a server.Andrew Bartlett1-1/+5
Andrew Bartlett (This used to be commit 3b6c9c7cbc1d5c4dd32d3c1db18ddbccbb8cf17a)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-1/+1
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r9931: Make use of new 'norealm' parsing functions rather than strchr(p '@').Andrew Bartlett1-11/+15
Merge these norealm functions from lorikeet-heimdal. Andrew Bartlett (This used to be commit 6aef275efd7f434f65824eb3dd129c8e5efd8731)
2007-10-10r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinkingJelmer Vernooij1-1/+1
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m! (This used to be commit 200a8f6652cb2de7a8037a7a4c2a204b50aee2b1)
2007-10-10r9392: Fix ldb_dn_compose to make build farm happySimo Sorce1-3/+2
Add ldb_dn_string_compose so that you can build a dn starting from a struct ldb_dn base and a set of parameters to be composed in a format string with the same syntax of printf (This used to be commit 31c69d0655752cc8ea3bc5b7ea87792291302091)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce1-27/+35
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r9310: Add two missing return statements after null pointer checks to fix ↵Steve French1-0/+2
potential oops in kdc code. Found by coverity. (This used to be commit 3b707b928969c87ac7e9948a567a3ebbc754f28c)
2007-10-10r9235: Remove attribute search we no longer reference.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit cf8bf1e9f3d771fb3ea14949cd6963c3e9ac6c2d)
2007-10-10r9170: fix crash bugStefan Metzmacher1-2/+3
metze (This used to be commit 232b04bf3e5ff185cf8c6401a19960afd42b5d6c)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-3/+6
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8511: This 'can't happen', but GCC gives warnings because it thinks it can.Andrew Bartlett1-2/+6
Andrew Bartlett (This used to be commit 40088b9566e8f63897958fc99d99dedb38e0cb69)
2007-10-10r8363: - we need to correct the realm for the krbtgt/NETBIOSDOMAINREALMStefan Metzmacher1-7/+24
into krbtgt/DNS.DOMAIN.REALM too with this a windows client asks for the correct ticket when you try to login (but it's still not working correct, as some how we mess up the dns host name of the client and it asks for the wrong service principal) - fix some compiler wranings - fix some debug messages metze (This used to be commit c4c93eeec20ceb062d37f392139a5ef8bbb626f5)
2007-10-10r8249: Clarify (with a comment) why we are playing these games here.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 33dcbe938df532e63b9c02c2b6cef11090021481)
2007-10-10r8181: Allow host/foo.realm/realm@REALM requests, assuming that the realmAndrew Bartlett1-1/+9
forms both differ only in case. We may need a better solution than this later. Andrew Bartlett (This used to be commit a0ad13f5bceb17c1b856548825e5509921b409f0)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-4/+6
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7969: It seems reasonable that our tickets be marked renewable, in theAndrew Bartlett1-0/+2
absense of an apparent AD flag to control this behaviour. Andrew Bartlett (This used to be commit 9886aa6f0e64cdb30774bfba3f2c683a3dbec9c4)
2007-10-10r7765: Thanks to Maurice Massar <massar@unix-ag.uni-kl.de> for spotting thatAndrew Bartlett1-1/+1
I missed one spot in moving from hdb_ent_type to the internal-to-hdb-ldb hdb_ldb_ent_type, which results in a Kerberos: Server has invalid flag set -- krbtgt/....@.... on kinit. Andrew Bartlett (This used to be commit 2358e0c0e4f2a3db78a8db360abc296f98bcb549)
2007-10-10r7680: Move to using our own private enum for the principal type inside theAndrew Bartlett1-30/+40
hdb-ldb module. This removes the need for the KRBTGT case to exist in the broader heimdal code. Andrew Bartlett (This used to be commit fb83465dbccae8af5eb26f735e60f3f40e944446)
2007-10-10r7651: Only convert SERVER requests to KRBTGT requests.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit a948e743bbc691798e6a956b35d8e09cfc91f988)
2007-10-10r7520: Fix memory leak in hdb-ldb.cAndrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 7f6a7f7fc521f41c811c51fb692f408dc570f4cd)
2007-10-10r7304: Make the libkdc actually work:Andrew Bartlett1-57/+7
- Remove (some) excess logging - use samdb_connect() to hook into the right handling for multiple tdb handles - move the connect to the server startup, rather than per-packet. - Fix config.mk dependency Tested with a WinXP domain join. Andrew Bartlett (This used to be commit 13cf51612d91385c6df5deadbf126bcc583f797d)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett1-2/+0
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7264: fix up the socket handling for abartlet. Still only udp, but it won'tAndrew Tridgell1-10/+3
be hard to do tcp as well. (This used to be commit 7cbb95d3f55dbaf9ca606655377682841e4c534d)
2007-10-10r7241: The KDC almost links...Andrew Bartlett1-0/+1066
Using current lorikeet/heimdal, and with the KDC module enabled (it is disabled by default), I almost get the KDC to link. (To enable the KDC for testing, comment out the only line in smbd/config.m4, and add 'kdc' to the 'server services' line in smb.conf). (This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)