Age | Commit message (Collapse) | Author | Files | Lines |
|
To do this properly, we must use the PAC, but for now this is enough
to check that we are delegating to another name on the same host
(which must be safe).
(Windows 7 does this a lot, also noted in bug 6273)
Andrew Bartlett
|
|
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case. Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.
Andrew Bartlett
|
|
The LDB_ prefix is misleading, and stomps on the LDB namespace. This
is a Samba4 hdb module, and not something generic.
Andrew Bartlett
|
|
Soon we will add implementations for these.
|
|
Guenther
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
|
|
The function LDB_lookup_principal() has been eliminated, and it's
contents spread back to it's callers. Removing the abstraction makes
the code clearer.
Also ensure we never pass unescaped user input to a LDB search
function.
Andrew Bartlett
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
|
|
It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary
way the krbtgt account is recognised as special is that RID. This
should fix issues such as 'password expired' on the kpasswd service.
Andrew Bartlett
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
metze
|
|
|
|
|
|
consistency with Samba 3.
|
|
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
|
|
metze
|
|
metze
|
|
metze
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
metze
|
|
|
|
metze
|
|
should in the future only contain some settings required for gensec.
|
|
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
functions.
|
|
We supply this to krb5 as a plugin, so we must keep it around as long
as the krb5_context.
Andrew Bartlett
|
|
3.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.
I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.
Andrew Bartlett
|
|
This commit applies some cosmetic corrections for the KERBEROS library.
|
|
|
|
This reverts commit 05ea5e23cf4e70de0bd658b1c5c0ead133967091.
Conflicts:
source4/smbd/server.c
|
|
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
|
|
The IDL is declared to force the MessageType to 3 on output, so we
instead checked the same thing 255 times...
Andrew Bartlett
|
|
metze
|
|
This reverts commit 0e9008be35a5b334bd65e6417193d4b8f27bdc36.
|
|
|
|
(This used to be commit edea162a0e11f03b4b6069388abbca099f097386)
|
|
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.
Andrew Bartlett
(This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
|
|
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
|
|
metze
(This used to be commit 65057f17b0d9e83f1b775afdeb7ea91ce0e52cd1)
|
|
(This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)
|