summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r12631: Now we have fixed the provision script, we don't need to work aroundAndrew Bartlett1-1/+1
it here. Andrew Bartlett (This used to be commit f282fab6113cbd6a431139cbe7f021864f31c3d1)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-100/+20
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij2-0/+2
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij2-2/+2
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12383: Fixes for Apple's AD client. Don't segfualt in the KDC, and theyAndrew Bartlett1-6/+8
require the isSynchronized flag in the rootDSE. Andrew Bartlett (This used to be commit e48464c8844b4af1976d8379aef8db9baddd3687)
2007-10-10r12362: Along with a cracknames change in the previous commit, this shouldAndrew Bartlett1-9/+15
allow Win2000 machines to again use kerberos with Samba4. Andrew Bartlett (This used to be commit 5770409dcd0151a7303b16c565b1f68845b8622d)
2007-10-10r12327: ENT_TYPE_ANY isn't used anywhere in Samba4, so don't implement it in ↵Andrew Bartlett1-21/+7
hdb-ldb. Andrew Bartlett (This used to be commit 96e124b7bb9a916bbdfbfa36d24a1dafa262c552)
2007-10-10r12269: Update to current lorikeet-heimdal. This changed the way the hdbAndrew Bartlett3-108/+95
interface worked, so hdb-ldb.c and the glue have been updated. Andrew Bartlett (This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
2007-10-10r12179: Allow our KDC to use LDAP to get to the backend database.Andrew Bartlett5-23/+49
To avoid a circular depenency, it is not allowed to use Krb5 as an authentication mechanism, so this must be removed from the list. An extension to the credentials system allows this function. Also remove proto.h use for any of the KDC, and use NTSTATUS returns in more places. Andrew Bartlett (This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
2007-10-10r12121: remove some dublicate codeStefan Metzmacher1-44/+19
metze (This used to be commit 2fe8a643d3d01e669d40f714d58502b00e2446c5)
2007-10-10r12036: Fix more KDC memory leaks (and there are probably still more...).Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit 0c4ea6f6413e260a15c0afe331a066ea7051fd9f)
2007-10-10r12035: Fix memory leaks in the KDC.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit b60531b109cf9539a9d58d46436f397346352cee)
2007-10-10r11987: Clarify the accountExpires behaviour in the KDC.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit 05334e98fb1658965a822517365a86bc3906378b)
2007-10-10r11968: More warning fixes. We're on track to getting to double digits forTim Potter1-4/+4
the number of warnings generated now. (This used to be commit d479f2d7607adc698d71c5ba26932c72a26dcaab)
2007-10-10r11930: Add socket/packet handling code for kpasswddAndrew Bartlett2-3/+34
Allow ticket requests with only a netbios name to be considered 'null' addresses, and therefore allowed by default. Use the netbios address as the workstation name for the allowed workstations check with krb5. Andrew Bartlett (This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87)
2007-10-10r11713: separate out the setting of the fde in the packet context from theAndrew Tridgell1-1/+2
enabling of packet serialisation (This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
2007-10-10r11621: some minor fixes from comments by metzeAndrew Tridgell1-3/+3
(This used to be commit 6ab808223475ba7c52dbe4d639af9a8e7f64b202)
2007-10-10r11619: use the 32 bit length helper in the kdc.Andrew Tridgell1-23/+1
(This used to be commit 24f20eed0e242aab76ce8f0f8db7266ddc9ec97b)
2007-10-10r11608: switched the kdc to use the generic packet send codeAndrew Tridgell1-40/+10
(This used to be commit 2cbcc8a919a5164bd57143ffc778f49011b9eee6)
2007-10-10r11604: converted the kdc code to use the new packet lib. Andrew, I'm not sureAndrew Tridgell1-78/+67
how to test this, can you have a look and see if it works for you? Is there some hidden switch to kinit to use tcp? (This used to be commit 0a797712fb9b11996ce035a77907000130b6f616)
2007-10-10r11572: Add support for accountExpires and password expiry (should cause theAndrew Bartlett1-2/+32
ticket to be reduced in validity). Andrew Bartlett (This used to be commit 5575a1443b5225140f401bde7f897f96dfe73b39)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-34/+36
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11544: Allow delegation in a Samba4 realm.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit c4a9d025d6485c19bf1f2e98f83ac68b276247e4)
2007-10-10r11543: A major upgrade to our KDC and PAC handling.Andrew Bartlett3-110/+390
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
2007-10-10r11540: Some notes to myself on RFC complience.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 6d439cae989efff7530d75e5dd21faa8e5230059)
2007-10-10r11536: Add a hook for client-principal access control to hdb-ldb, re-usingAndrew Bartlett1-11/+93
the code in auth/auth_sam.c for consistancy. This will also allow us to have one place for a backend directory hook. I will use a very similar hook to add the PAC. Andrew Bartlett (This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-43/+22
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11524: More work on our hdb backend in the KDC.Andrew Bartlett1-116/+78
The aim here is to restructure the queries to match the queries we do in auth, then to share the code that does the actual query (at least for user logins). Then we can generate the PAC from that shared query, rather than a seperate query. Andrew Bartlett (This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
2007-10-10r11437: Fix (valid!) use of uninitialised value warnings.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 64b9ea642bb7443f804e71bb2a6ccad94522d057)
2007-10-10r11382: Require number of required M4 macrosJelmer Vernooij1-5/+1
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM Add some more PUBLIC_HEADERS (This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
2007-10-10r11333: Push service principal lookups into the cracknames code, rather thanAndrew Bartlett1-166/+92
in the hdb-ldb code. Andrew Bartlett (This used to be commit f71149c88d9648f5b2b1d1480dc8d45c551b0231)
2007-10-10r11322: Start moving towards using the cracknames code in the KDC.Andrew Bartlett1-26/+70
Andrew Bartlett (This used to be commit cf67af421686e7a89334e10296a3a07c1f8f6298)
2007-10-10r11321: Fix typos in warnings.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 81f020d3a4982842b770b9eeb82851cf2cd35fe2)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett1-9/+5
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij2-336/+336
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11241: - fix compiler warningStefan Metzmacher1-2/+2
- fix comment metze (This used to be commit 4f999625a164e58b87d915bbb2914038ea96162a)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett4-97/+674
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-2/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11206: It appears to me that any account may operate as a server.Andrew Bartlett1-1/+5
Andrew Bartlett (This used to be commit 3b6c9c7cbc1d5c4dd32d3c1db18ddbccbb8cf17a)
2007-10-10r11106: Make the KDC handler plugable, as I want to drop kpasswdd into exactlyAndrew Bartlett1-16/+34
the same spot (it has identical TCP sementics). Andrew Bartlett (This used to be commit 84d6118e8762608af0945279d80ad0f898e693d9)
2007-10-10r10987: add support for tcp kdc requestsStefan Metzmacher2-34/+271
metze (This used to be commit 4c4f19cc23d256c600819e8b0fddc7734b97e131)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-1/+1
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10586: Add MergedObject() builder. Default to Library() ratherJelmer Vernooij1-1/+1
then StaticLibrary() (This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
2007-10-10r10562: Ensure we initalise the error table with hdb errors. This ensures weAndrew Bartlett2-0/+3
get good text error strings. Andrew Bartlett (This used to be commit 0600202067c00dd5d5d8be2d6559f66b46108f07)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij1-0/+2
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10157: Remove the last traces of heimdal/include.James Peach1-1/+1
(This used to be commit 651249010725196702a8a2ed0cba65039aa2f08d)
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-8/+3
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2007-10-10r9931: Make use of new 'norealm' parsing functions rather than strchr(p '@').Andrew Bartlett1-11/+15
Merge these norealm functions from lorikeet-heimdal. Andrew Bartlett (This used to be commit 6aef275efd7f434f65824eb3dd129c8e5efd8731)
2007-10-10r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinkingJelmer Vernooij1-1/+1
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m! (This used to be commit 200a8f6652cb2de7a8037a7a4c2a204b50aee2b1)
2007-10-10r9648: this fixes the krb5 based login with the pac. The key to this whole ↵Andrew Tridgell2-9/+12
saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. (This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)