summaryrefslogtreecommitdiff
path: root/source4/kdc/kpasswdd.c
AgeCommit message (Collapse)AuthorFilesLines
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett1-1/+1
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-04s4-kdc: don't look at global catalog NCs in the kdcAndrew Tridgell1-6/+10
the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-03gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett1-0/+1
gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-03-25lib/util/charset rename iconv_convenience to iconv_handleAndrew Bartlett1-2/+2
This better reflects what this structure is Andrew Bartlett
2011-03-24charcnv: removed the allow_badcharcnv and allow_bad_conv options to ↵Andrew Tridgell1-2/+2
convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-5/+5
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2010-12-12s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer1-9/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
2010-12-12s4:kdc/kpasswdd.c - don't return an uninitialised NT_STATUSMatthias Dieter Wallnöfer1-2/+1
Discovered by Tru64 build
2010-12-04s4:kdc/kpasswdd.c - fix memory leaksMatthias Dieter Wallnöfer1-2/+15
2010-11-15s4-kdc Remove use of heimdal private headers in kpasswd server.Andrew Bartlett1-16/+3
This remains an abuse, because it relies on setting into the krb5_principal structure, but at least it causes less trouble for the server. Andrew Bartlett
2010-11-12s4-kdc: added proxying of kdc requests for RODCsAndrew Tridgell1-12/+9
when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12s4-kdc: split the kdc process return into a tri-stateAndrew Tridgell1-22/+22
this is in preparation for doing forwarding of packets for RODCs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-12s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.hAndrew Tridgell1-1/+1
kdc.h conflicts with a heimdal header name
2010-10-17Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer1-0/+1
in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer1-1/+0
"dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett1-1/+1
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-10samdb: Add flags argument to samdb_connect().Jelmer Vernooij1-3/+3
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-3/+3
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-3/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:kdc/kpasswdd.c - let the user change his own password with his own rightsMatthias Dieter Wallnöfer1-3/+44
Now it's finally possible that the user can change his password with a DSDB connection using his credentials. NOTICE: I had to extract the old password from the SAMDB since I was unable to find it somewhere else (authinfo for example).
2010-08-17s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform ↵Matthias Dieter Wallnöfer1-1/+1
password sets
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-2/+2
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-26s4:kdc/kpasswdd.c - remove unreachable codeMatthias Dieter Wallnöfer1-2/+0
2010-05-10s4:samdb_set_password/samdb_set_password_sid - ReworkMatthias Dieter Wallnöfer1-31/+4
Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2010-03-25s4:kdc Add support for changing password of a servicePrincipalNameAndrew Bartlett1-10/+32
Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-02-22More spelling fixes across source4/Brad Hards1-1/+1
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-02-16s4-dsdb: change samdb_replace() to dsdb_replace() and allow for dsdb_flagsAndrew Tridgell1-1/+1
This allows for controls to be added easily where they are needed.
2010-01-28s4:kdc Use better db context structureSimo Sorce1-1/+1
This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2009-12-23s4:cleanups More trailing spaces and tabsSimo Sorce1-108/+108
2009-12-16s4-gensec: Replace gensec_set_peer_addr with new tsocket based fn.Andreas Schneider1-1/+1
2009-12-16s4-gensec: Replace gensec_set_my_addr() with new tsocket based fn.Andreas Schneider1-17/+1
2009-12-15s4-kdc: Migrate to tsocket_address.Andreas Schneider1-3/+20
2009-11-05s4:kdc: remove unused struct kpasswd_socketStefan Metzmacher1-10/+0
metze
2009-10-23s4-dsdb: create a static system_session contextAndrew Tridgell1-1/+1
This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-08s3/s4 - Adapt the IDL changes on various locationsMatthias Dieter Wallnöfer1-9/+8
2009-09-16s4:kdc In the kpasswd server, don't use the client address in mk_privAndrew Bartlett1-0/+8
This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-07-27s4:kdc Push context to hdb_samba4 by way of the 'name' of the DBAndrew Bartlett1-3/+9
This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-03-01Use common header file for character set handling in Samba 3 and Samba 4.Jelmer Vernooij1-3/+2
2009-03-01s4: Use same function signature for convert_* as s3.Jelmer Vernooij1-8/+5
2009-03-01Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij1-2/+2
consistency with Samba 3.
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-9/+10
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-1/+1
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-1/+3
should in the future only contain some settings required for gensec.
2008-10-24Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij1-2/+2
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij1-1/+1
functions.
2008-10-16Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett1-11/+26
This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-08-26kdc: move references to heimdal internals into heimdal_build/kpasswd-glue.hStefan Metzmacher1-2/+1
metze (This used to be commit 65057f17b0d9e83f1b775afdeb7ea91ce0e52cd1)
2008-08-01libreplace: include <krb5.h> and <com_err.h> and no heimdal specific headersStefan Metzmacher1-2/+11
metze (This used to be commit cffed8e19e22a1fa7b7a322b153df5d54e4c3be2)
2008-08-01kdc: use mostly only public kerberos headersStefan Metzmacher1-2/+4
We shoule avoid using the private heimdal function _krb5_principalname2krb5_principal() metze (This used to be commit 10db07c69addce6e90851fb55738d5f9e142946b)