summaryrefslogtreecommitdiff
path: root/source4/kdc/hdb-ldb.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-6/+2
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.Andrew Bartlett1-0/+25
The reason is long and complex, but is due to forwardable tickets: We would extract the forwardable ticket from the GSSAPI payload, and look for the expiry time of the ticket for krbtgt/REALM@REALM. However, with -r 19662 the ticket is given to the client as being for krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is case sensitive for realms, and bails out. (It should just not store the forwarded ticket). We need to co-ordinate changes in the KDC with relaxation of checks in Heimdal, and a better kerberos behaviour testsuite. Andrew Bartlett (This used to be commit be4c1a36b0e31cbb680d55e8d933818dc3c7435b)
2007-10-10r20034: Start using ldb_search_exp_fmt()Simo Sorce1-12/+6
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-10/+14
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19662: windows 2003 kdc's only rewrite the realm to the full form,Stefan Metzmacher1-27/+1
when the client is using the netbios domain name as realm. we should match this and not rewrite the principal. This matches what windows give: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4 administrator@SERNOXDOM4's Password: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist Credentials cache: FILE:/tmp/krb5cc_10000 Principal: administrator@SERNOXDOM4.MX.BASE Issued Expires Principal Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE Note: I need to disable the principal checks in heimdal's _krb5_extract_ticket() for the kinit to work. Any ideas how to change heimdal to support this. For the service principal we should use the realm and principal in req->kdc_rep.enc_part instead of the unencrypted req->kdc.ticket.sname and req->kdc.ticket.realm to have a trusted value. I'm not sure what we can do with the client realm... metze (This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-2/+4
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+2
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19299: Fix possible memleaksSimo Sorce1-4/+1
(This used to be commit 6fad80bb09113a60689061a2de67711c9924708b)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-1/+1
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17824: add a wrapper for the common partitions_basedn calculationAndrew Tridgell1-2/+2
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-8/+8
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r16964: Remove extra debugs no longer required in a working KDCAndrew Bartlett1-26/+21
Implement the 'DES only' flag. Andrew Bartlett (This used to be commit 9d42bb4b3d2a45da02f0525386468161494852cd)
2007-10-10r16237: Use an appropriate basedn for these searches, so they occour into theAndrew Bartlett1-2/+4
correct partition. Andrew Bartlett (This used to be commit f661dafe4edcd017a8d3bda1a40ff8b0d7a1348e)
2007-10-10r16056: Fix errors found by trying to use our kpasswd server and the Apple ↵Andrew Bartlett1-4/+1
client. Andrew Bartlett (This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
2007-10-10r15883: Make sure timegm() prototype is available (on systems where we've had toJim McDonough1-0/+1
replace it) (This used to be commit eef117e4454ed5faeddfc0b18bd4f0128c922f36)
2007-10-10r15853: started the process of removing the warnings now thatAndrew Tridgell1-2/+1
talloc_set_destructor() is type safe. The end result will be lots less use of void*, and less calls to talloc_get_type() (This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
2007-10-10r15830: fixed two kdc memory leaksAndrew Tridgell1-13/+7
(This used to be commit cc290ece92196d2bdf39eaa9d3bb4a0af6ec782c)
2007-10-10r15573: Fix build of systems that have iconv headers in non-standard locationsJelmer Vernooij1-1/+0
Split of system/locale.h header from system/iconv.h Previously, iconv wasn't being used on these systems (This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba)
2007-10-10r15497: I'm not really sure this is correct in terms of how we should be ↵Andrew Bartlett1-0/+4
responding to krbtgt/MY.REALM@MY.REALM TGS ticket requests, but for the moment, these are still marked as 'server' requests by the kerberos5.c caller. Andrew Bartlett (This used to be commit afaee0a6b7aba3db118e6529c341c9377bc26546)
2007-10-10r15481: Update heimdal/ to match current lorikeet-heimdal.Andrew Bartlett1-161/+199
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
2007-10-10r15480: Patch from lha, to ensure we don't leave a free()'ed element in theAndrew Bartlett1-3/+1
principal on strdup failure. Andrew Bartlett (This used to be commit d72fafc1f0089212634fc1a77352b47970e82410)
2007-10-10r14427: don't reference short_princ after it is freedAndrew Tridgell1-1/+1
(This used to be commit 8ca4681861e24ddf7c4abcc97a4cf0e001d13e24)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13910: Fix the 'your password has expired' on every login. We now considerAndrew Bartlett1-7/+5
if the 'password does not expire' flag has been set, filling in the PAC and netlogon reply correctly if so. Andrew Bartlett (This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
2007-10-10r13252: Cleanup, both in code, comments and talloc use:Andrew Bartlett1-23/+12
In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2007-10-10r13207: Use the new API for using/not using kerbeors in hdb-ldb.cAndrew Bartlett1-5/+3
Update the rootdse module to use the new schema. Andrew Bartlett (This used to be commit b0b150d08ac39ed486071487826da2e306db6a0b)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-2/+19
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r13069: adding a hack on instructions from andrewAndrew Tridgell1-1/+2
(This used to be commit 65cf522b5e079de2cfd5fc989350cc127f6c5baa)
2007-10-10r12681: Allow an entry to have no kerberos keys. This occours when an entryAndrew Bartlett1-16/+24
is new, and has no password. It may also occour in the future if we allow PKINIT. In any case, it shouldn't segfault :-) Andrew Bartlett (This used to be commit 686fea241b7a8ca286099eadfa2ed177367dafdc)
2007-10-10r12631: Now we have fixed the provision script, we don't need to work aroundAndrew Bartlett1-1/+1
it here. Andrew Bartlett (This used to be commit f282fab6113cbd6a431139cbe7f021864f31c3d1)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-100/+20
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12362: Along with a cracknames change in the previous commit, this shouldAndrew Bartlett1-9/+15
allow Win2000 machines to again use kerberos with Samba4. Andrew Bartlett (This used to be commit 5770409dcd0151a7303b16c565b1f68845b8622d)
2007-10-10r12327: ENT_TYPE_ANY isn't used anywhere in Samba4, so don't implement it in ↵Andrew Bartlett1-21/+7
hdb-ldb. Andrew Bartlett (This used to be commit 96e124b7bb9a916bbdfbfa36d24a1dafa262c552)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett1-104/+90
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12179: Allow our KDC to use LDAP to get to the backend database.Andrew Bartlett1-11/+32
To avoid a circular depenency, it is not allowed to use Krb5 as an authentication mechanism, so this must be removed from the list. An extension to the credentials system allows this function. Also remove proto.h use for any of the KDC, and use NTSTATUS returns in more places. Andrew Bartlett (This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
2007-10-10r12036: Fix more KDC memory leaks (and there are probably still more...).Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit 0c4ea6f6413e260a15c0afe331a066ea7051fd9f)
2007-10-10r12035: Fix memory leaks in the KDC.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit b60531b109cf9539a9d58d46436f397346352cee)
2007-10-10r11987: Clarify the accountExpires behaviour in the KDC.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit 05334e98fb1658965a822517365a86bc3906378b)
2007-10-10r11572: Add support for accountExpires and password expiry (should cause theAndrew Bartlett1-2/+32
ticket to be reduced in validity). Andrew Bartlett (This used to be commit 5575a1443b5225140f401bde7f897f96dfe73b39)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-34/+36
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11544: Allow delegation in a Samba4 realm.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit c4a9d025d6485c19bf1f2e98f83ac68b276247e4)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett1-79/+52
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11536: Add a hook for client-principal access control to hdb-ldb, re-usingAndrew Bartlett1-11/+93
the code in auth/auth_sam.c for consistancy. This will also allow us to have one place for a backend directory hook. I will use a very similar hook to add the PAC. Andrew Bartlett (This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-43/+22
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11524: More work on our hdb backend in the KDC.Andrew Bartlett1-116/+78
The aim here is to restructure the queries to match the queries we do in auth, then to share the code that does the actual query (at least for user logins). Then we can generate the PAC from that shared query, rather than a seperate query. Andrew Bartlett (This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
2007-10-10r11333: Push service principal lookups into the cracknames code, rather thanAndrew Bartlett1-166/+92
in the hdb-ldb code. Andrew Bartlett (This used to be commit f71149c88d9648f5b2b1d1480dc8d45c551b0231)
2007-10-10r11322: Start moving towards using the cracknames code in the KDC.Andrew Bartlett1-26/+70
Andrew Bartlett (This used to be commit cf67af421686e7a89334e10296a3a07c1f8f6298)
2007-10-10r11206: It appears to me that any account may operate as a server.Andrew Bartlett1-1/+5
Andrew Bartlett (This used to be commit 3b6c9c7cbc1d5c4dd32d3c1db18ddbccbb8cf17a)