summaryrefslogtreecommitdiff
path: root/source4/kdc/pac-glue.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-8/+3
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2007-10-10r9648: this fixes the krb5 based login with the pac. The key to this whole ↵Andrew Tridgell1-5/+7
saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. (This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett1-1/+1
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-2/+10
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8013: Remember to add the header containing the prototype for the pacAndrew Bartlett1-0/+1
generating function... Andrew Bartlett (This used to be commit 707cf5fba8e5652043d392d3ee77d042eb9c3a90)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett1-3/+4
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-0/+79
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)