summaryrefslogtreecommitdiff
path: root/source4/kdc/kpasswdd.c
AgeCommit message (Collapse)AuthorFilesLines
2009-10-08s3/s4 - Adapt the IDL changes on various locationsMatthias Dieter Wallnöfer1-9/+8
2009-09-16s4:kdc In the kpasswd server, don't use the client address in mk_privAndrew Bartlett1-0/+8
This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-07-27s4:kdc Push context to hdb_samba4 by way of the 'name' of the DBAndrew Bartlett1-3/+9
This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-03-01Use common header file for character set handling in Samba 3 and Samba 4.Jelmer Vernooij1-3/+2
2009-03-01s4: Use same function signature for convert_* as s3.Jelmer Vernooij1-8/+5
2009-03-01Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij1-2/+2
consistency with Samba 3.
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-9/+10
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-1/+1
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-1/+3
should in the future only contain some settings required for gensec.
2008-10-24Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij1-2/+2
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij1-1/+1
functions.
2008-10-16Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett1-11/+26
This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-08-26kdc: move references to heimdal internals into heimdal_build/kpasswd-glue.hStefan Metzmacher1-2/+1
metze (This used to be commit 65057f17b0d9e83f1b775afdeb7ea91ce0e52cd1)
2008-08-01libreplace: include <krb5.h> and <com_err.h> and no heimdal specific headersStefan Metzmacher1-2/+11
metze (This used to be commit cffed8e19e22a1fa7b7a322b153df5d54e4c3be2)
2008-08-01kdc: use mostly only public kerberos headersStefan Metzmacher1-2/+4
We shoule avoid using the private heimdal function _krb5_principalname2krb5_principal() metze (This used to be commit 10db07c69addce6e90851fb55738d5f9e142946b)
2008-06-04kdc: we don't need any *_locl.h header from heimdal in the kdcStefan Metzmacher1-1/+1
metze (This used to be commit feca16dd6d03730b4a67adf5d912ba2d5e1a3025)
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-2/+2
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-04-17Remove event context tracking from the credentials struct.Jelmer Vernooij1-1/+1
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-1/+1
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26427: Avoid global_smb_iconv_convenience.Jelmer Vernooij1-1/+1
(This used to be commit bf072c6fb37b3e6a71c0c747b9fbeaa01480229e)
2007-12-21r26316: Use contexts for conversion functions.Jelmer Vernooij1-1/+1
(This used to be commit f6420d933b5b011d428974f3a2a57edf19e6f482)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-1/+1
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-3/+3
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij1-2/+2
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-10-10r25548: Convert to standard bool type.Jelmer Vernooij1-33/+33
(This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-1/+2
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25000: Fix some more C++ compatibility warnings.Jelmer Vernooij1-1/+2
(This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-10-10r24613: Missed this in my recent commit -r 24611. We don't discriminate onAndrew Bartlett1-2/+0
where the password change came from, to determine if policy should be applied. We discriminate on if the account is a trust account. Andrew Bartlett (This used to be commit 48fd2889571b10a6057b9e271860e4951fc85c8b)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-2/+2
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-1/+2
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+3
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r18827: I forgot to commit this:Andrew Bartlett1-1/+2
Make kpasswdd use the new prototype for _krb5_principalname2krb5_principal() Andrew Bartlett (This used to be commit 989f40ea027328cdaa31dc89ce52b2243b4aad76)
2007-10-10r18636: Excessive testing with pam_winbind within Samba3 revealed a new samrGünther Deschner1-0/+3
reject reason code while password changing: SAMR_REJECT_IN_HISTORY which is different from SAMR_REJECT_COMPLEXITY. torture test to follow as well. Guenther (This used to be commit 7513748208214339e764cc990aa1dbbcf864975a)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-1/+1
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-3/+2
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r15328: Move some functions around, remove dependencies.Jelmer Vernooij1-1/+1
Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
2007-10-10r14856: fix bugs noticed by the ibm code checkerStefan Metzmacher1-8/+10
metze (This used to be commit f72e7d9dcd02f1f983b457163dee0a8df0186c79)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-0/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-0/+2
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r13903: Don't generate prototypes for modules and binaries in include/proto.h byJelmer Vernooij1-0/+1
default. (This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-1/+4
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett1-6/+4
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12683: Fix declaration and initialisation placement.Andrew Bartlett1-5/+6
Andrew Bartlett (This used to be commit 17e20930ec05f6385a8fccfc77fb0aca89ecef52)
2007-10-10r12682: This patch finally fixes our kpasswdd implementation to be compatibleAndrew Bartlett1-26/+119
with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r11437: Fix (valid!) use of uninitialised value warnings.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 64b9ea642bb7443f804e71bb2a6ccad94522d057)
2007-10-10r11241: - fix compiler warningStefan Metzmacher1-2/+2
- fix comment metze (This used to be commit 4f999625a164e58b87d915bbb2914038ea96162a)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-0/+495
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)