summaryrefslogtreecommitdiff
path: root/source4/kdc/kdc.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r20988: Call out to Heimdal's krb5.conf processing to configure many aspectsAndrew Bartlett1-22/+19
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-0/+34
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20152: Commit missing files from last night's commit. We no longer maintainAndrew Bartlett1-2/+1
a distinction between PDC and BDC in the configuration files, only as an entry in the ldb. Andrew Bartlett (This used to be commit dc9eee7cb37e4a6828c2cba23b0d836df9eac7b5)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-7/+17
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-1/+1
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17586: merge lib/netif into lib/socket and use -lnsl -lsocket on theStefan Metzmacher1-1/+1
configure check for the interfaces. should fix the build on some old sun boxes metze (This used to be commit f20e251bfd9f1eb7ce5c00739631b1625a2aa467)
2007-10-10r15830: fixed two kdc memory leaksAndrew Tridgell1-1/+1
(This used to be commit cc290ece92196d2bdf39eaa9d3bb4a0af6ec782c)
2007-10-10r15356: Remove unused 'flags' argument from socket_send() and friends.Andrew Bartlett1-2/+2
This is in preperation for making TLS a socket library. Andrew Bartlett (This used to be commit a312812b92f5ac7e6bd2c4af725dbbbc900d4452)
2007-10-10r14079: I just found the setproctitle library from alt linux:-)Stefan Metzmacher1-0/+2
- add set_title hook to the process models - use setproctitle library in process_model standard if available - the the title for the task servers and on connections metze (This used to be commit 526f20bbecc9bbd607595637c15fc4001d3f0c70)
2007-10-10r13926: More header splitups.Jelmer Vernooij1-0/+1
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-1/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13516: We can't bind to both 0.0.0.0 and specific network interfaces at theAndrew Bartlett1-7/+0
same time. This was causing the kdc to shut itself down if 'bind interfaces only = no'. Andrew Bartlett (This used to be commit 02ff22a25050687478cfcca4dce35c2346cc2241)
2007-10-10r13321: Bind to each interface and to the 0.0.0.0 interface on the KDC. ThisAndrew Bartlett1-9/+24
was pointed out by Maurice Massar. It ensures we get the addresses for the krb5_mk_priv() correct (otherwise an MIT kpasswdd fails over localhost). Also never run the KDC unless we are a DC. Andrew Bartlett (This used to be commit c17007918459678004a009ccaa50fb85e8b6a739)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-2/+7
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett1-48/+32
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12682: This patch finally fixes our kpasswdd implementation to be compatibleAndrew Bartlett1-32/+54
with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2007-10-10r12179: Allow our KDC to use LDAP to get to the backend database.Andrew Bartlett1-6/+4
To avoid a circular depenency, it is not allowed to use Krb5 as an authentication mechanism, so this must be removed from the list. An extension to the credentials system allows this function. Also remove proto.h use for any of the KDC, and use NTSTATUS returns in more places. Andrew Bartlett (This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
2007-10-10r12121: remove some dublicate codeStefan Metzmacher1-44/+19
metze (This used to be commit 2fe8a643d3d01e669d40f714d58502b00e2446c5)
2007-10-10r11968: More warning fixes. We're on track to getting to double digits forTim Potter1-4/+4
the number of warnings generated now. (This used to be commit d479f2d7607adc698d71c5ba26932c72a26dcaab)
2007-10-10r11930: Add socket/packet handling code for kpasswddAndrew Bartlett1-3/+13
Allow ticket requests with only a netbios name to be considered 'null' addresses, and therefore allowed by default. Use the netbios address as the workstation name for the allowed workstations check with krb5. Andrew Bartlett (This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87)
2007-10-10r11713: separate out the setting of the fde in the packet context from theAndrew Tridgell1-1/+2
enabling of packet serialisation (This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
2007-10-10r11621: some minor fixes from comments by metzeAndrew Tridgell1-3/+3
(This used to be commit 6ab808223475ba7c52dbe4d639af9a8e7f64b202)
2007-10-10r11619: use the 32 bit length helper in the kdc.Andrew Tridgell1-23/+1
(This used to be commit 24f20eed0e242aab76ce8f0f8db7266ddc9ec97b)
2007-10-10r11608: switched the kdc to use the generic packet send codeAndrew Tridgell1-40/+10
(This used to be commit 2cbcc8a919a5164bd57143ffc778f49011b9eee6)
2007-10-10r11604: converted the kdc code to use the new packet lib. Andrew, I'm not sureAndrew Tridgell1-78/+67
how to test this, can you have a look and see if it works for you? Is there some hidden switch to kinit to use tcp? (This used to be commit 0a797712fb9b11996ce035a77907000130b6f616)
2007-10-10r11540: Some notes to myself on RFC complience.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 6d439cae989efff7530d75e5dd21faa8e5230059)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-96/+166
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11106: Make the KDC handler plugable, as I want to drop kpasswdd into exactlyAndrew Bartlett1-16/+34
the same spot (it has identical TCP sementics). Andrew Bartlett (This used to be commit 84d6118e8762608af0945279d80ad0f898e693d9)
2007-10-10r10987: add support for tcp kdc requestsStefan Metzmacher1-6/+271
metze (This used to be commit 4c4f19cc23d256c600819e8b0fddc7734b97e131)
2007-10-10r10562: Ensure we initalise the error table with hdb errors. This ensures weAndrew Bartlett1-0/+2
get good text error strings. Andrew Bartlett (This used to be commit 0600202067c00dd5d5d8be2d6559f66b46108f07)
2007-10-10r8586: register the kdc with irpc so we can tell that it is upAndrew Tridgell1-0/+3
(This used to be commit 093bbae1c391a999131f249b3aa9a9e3ce99a555)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-1/+1
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8161: Update Samba4 for the new Heimdal update.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 6a9b6373273f135fe012a6603707d77c2a65e9fa)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-1/+3
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7911: task_terminate() is defined in the macosx headers, so change the nameAndrew Tridgell1-7/+7
to task_server_terminate() (This used to be commit a7447e25ac203f0ee09ffdf72df1094eb70e7c0c)
2007-10-10r7508: Fix memory leak of outgoing packets in the KDC.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 6f7bb00c7e59444cde0c25b6f83e1c335d86ee32)
2007-10-10r7484: the previous bug can also affect the kdcAndrew Tridgell1-1/+2
(This used to be commit ee8bf9db4a619b40ae71b5e97ea7640483587573)
2007-10-10r7304: Make the libkdc actually work:Andrew Bartlett1-0/+3
- Remove (some) excess logging - use samdb_connect() to hook into the right handling for multiple tdb handles - move the connect to the server startup, rather than per-packet. - Fix config.mk dependency Tested with a WinXP domain join. Andrew Bartlett (This used to be commit 13cf51612d91385c6df5deadbf126bcc583f797d)
2007-10-10r7297: make the code more readableStefan Metzmacher1-6/+8
metze (This used to be commit f9b4448ec536ea23699d959bcf44e359d5c4ba23)
2007-10-10r7270: A big revamp to the way we handle kerberos errors in Samba4. We nowAndrew Bartlett1-8/+7
fill in the function pointers to handle the logging, and catch all the kerberos warnings. (Currently at level 3). To avoid a memory leak, this requries a new function: krb5_freelog(), which I've added to lorikeet/heimdal. This also required a revamp to how we handle the krb5_context, so as to make it easier to handle with talloc destructors. Andrew Bartlett (This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)
2007-10-10r7264: fix up the socket handling for abartlet. Still only udp, but it won'tAndrew Tridgell1-24/+62
be hard to do tcp as well. (This used to be commit 7cbb95d3f55dbaf9ca606655377682841e4c534d)
2007-10-10r7259: Move the recv handler out into a seperate function (suggestion fromAndrew Bartlett1-51/+72
tridge) Andrew Bartlett (This used to be commit 6329f2ee369533839d209a1c86fe7949a4037fbe)
2007-10-10r7241: The KDC almost links...Andrew Bartlett1-5/+61
Using current lorikeet/heimdal, and with the KDC module enabled (it is disabled by default), I almost get the KDC to link. (To enable the KDC for testing, comment out the only line in smbd/config.m4, and add 'kdc' to the 'server services' line in smb.conf). (This used to be commit 26cd4b4f68a370390e08263067402c6c70e49ec8)
2007-10-10r7221: Add the start of a KDC service (to be built on a 'libkdc' from a to beAndrew Bartlett1-0/+187
included Heimdal) to Samba4. Andrew Bartlett (This used to be commit 51ba3ea60c265b837821b6c3e031dfe229c10d6a)