summaryrefslogtreecommitdiff
path: root/source4/kdc/pac-glue.c
AgeCommit message (Collapse)AuthorFilesLines
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett1-1/+1
2012-01-12s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett1-12/+102
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett
2011-10-11pac: Fix wrong memory allocation checkSimo Sorce1-1/+1
Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Tue Oct 11 01:18:22 CEST 2011 on sn-devel-104
2011-06-28s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher1-2/+119
metze
2011-03-19source4/kdc: Fix prototypes for all functions.Jelmer Vernooij1-0/+1
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell1-1/+1
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-10/+11
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2010-12-12s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer1-3/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
2010-11-15s4-kdc Don't always regenerate the PACAndrew Bartlett1-2/+4
The PAC was being regenerated on all normal DCs, because they don't have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check if it's set and not equal to our RODC number, allowing RODCs to trust the full DCs and itself, but not other RODCs. Andrew Bartlett
2010-11-12s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.hAndrew Tridgell1-1/+1
kdc.h conflicts with a heimdal header name
2010-10-05s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer1-1/+1
It doesn't change much but it's nicer to have it consistent.
2010-09-29s4-kdc Add function to determine if a hdb entry is a RODCAndrew Bartlett1-0/+16
This is important, as we must ignore the PAC from an RODC. Andrew Bartlett
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-2/+2
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-8/+4
2010-04-27Simple fix to prevent crash for non-pac principalsMarcel Ritter1-0/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-02-25s4:kdc make function staticSimo Sorce1-0/+1
2010-01-31s4:kdc Streamline client access verification callSimo Sorce1-2/+56
Move the core to pac-glue so that other plugins can use it.
2010-01-28s4:kdc Use a clearer name for the samba kdc entrySimo Sorce1-6/+6
Renames hdb_samba4_private to samba_kdc_entry Streamlines members of the entry and the kdc db contextto avoid unnecessary duplication.
2010-01-27s4:windc move windc plugin in its own fileSimo Sorce1-186/+0
Keep all heimdal related plugin code within wdc-samba4.c Leave only interfaces common to multiple plugins in pac-glue.c
2010-01-27s4:PAC make common functions publicSimo Sorce1-25/+24
2010-01-27s4:PAC Streamline pac-glue step 2Simo Sorce1-55/+113
Split functions so that no assumption is made about which plugin is using them
2010-01-27s4:PAC Streamline pac-glueSimo Sorce1-19/+40
First step, preparing to share the code between multiple plugins.
2009-12-23s4:cleanups More trailing spaces and tabsSimo Sorce1-15/+15
2009-07-28s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett1-17/+26
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27s4:kdc Tidy up hdb_samba4 some moreAndrew Bartlett1-5/+5
This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-13libds: share UF_ flags between samba3 and 4.Günther Deschner1-1/+1
Guenther
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-34/+41
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-4/+6
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-02-01s4:kdc: avoid c++ reserved word 'private'Stefan Metzmacher1-17/+17
metze
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-1/+2
metze
2008-10-24Remove unused include param/param.h.Jelmer Vernooij1-1/+0
2008-08-28Heimdal provides Kerberos PAC parsing routines. Use them.Andrew Bartlett1-37/+7
This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
2008-08-20kdc/pac-glue: pull/push the logon_info via the PAC_INFO unionStefan Metzmacher1-11/+13
This prepares the next commit... metze (This used to be commit 7d297f7fb7a3ac388390429db7cb16fa60d3f8c0)
2008-06-04kdc: we don't need any *_locl.h header from heimdal in the kdcStefan Metzmacher1-1/+1
metze (This used to be commit feca16dd6d03730b4a67adf5d912ba2d5e1a3025)
2008-03-19Remove unused variable.Andrew Bartlett1-1/+0
(This used to be commit 1de21f5fdd9e377801af25b7ce461bdf7a16e1de)
2008-03-13kdc: Provide extended error information in AS-REP error replies.Andrew Kroeger1-17/+50
This change utilizes the addition of the e_data parameter to the windc_plugin in the heimdal code to pass extended information back to the client. The extended information is provided in an e-data block as part of the kerberos error message, and allows the client to determine which specific error condition occurred. (This used to be commit 502466ba950bfd104518b9eb9586896c1e076343)
2008-03-07Enhance mappings of NTSTATUS to KRB5KDC errors.Andrew Kroeger1-1/+20
The enhanced mappings allow the Windows client to determine whether a user's password needs to be changed (and allows them to change it), or if they cannot logon at all. Changes still need to be made to allow additional data to be returned. Windows uses that additional data to display more detailed dialogs to the user. The additional information is returned in an e-data struct of type PA-PW-SALT that contains the more-detailed NTSTATUS error code. (This used to be commit 6a98e5a7aa0cdbb61358901df50162b5b914ee5c)
2008-02-21Remove more uses of global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit a1715b1f48ba44bd94844418cc9299649aaf1a5e)
2008-02-21Remove more uses of global_loadparm.Jelmer Vernooij1-5/+3
(This used to be commit 230355d2e6e27918dff40823eb238904c7a1870e)
2008-02-21Remove more uses of global_loadparm.Jelmer Vernooij1-4/+7
(This used to be commit 47d05ecf6fef66c90994f666b8c63e2e7b5a6cd8)
2008-01-01r26639: librpc: Pass iconv convenience on from RPC connection to NDR ↵Jelmer Vernooij1-1/+1
library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
2008-01-01r26638: libndr: Require explicitly specifying iconv_convenience for ↵Jelmer Vernooij1-1/+1
ndr_struct_push_blob(). (This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
2007-12-21r26357: Add separate subsystem for auth_sam_reply parsing.Jelmer Vernooij1-0/+1
(This used to be commit 2d61e7c96e249d7031b709e9f727626a78e435f1)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij1-0/+2
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-6/+10
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-12-21r25789: print out what error happened...Stefan Metzmacher1-1/+1
metze (This used to be commit cca080f53040c84753050a1a82b8cd93e33ca693)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-209/+107
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r19664: fix compiler warnings...Stefan Metzmacher1-14/+14
should _krb5_find_type_in_ad() also take a const? metze (This used to be commit addc31bd9309cb2b41cbb548c82c80de1cf96c4f)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett1-1/+1
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)