Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know. We cannot check the KDC signature on incoming trusts.
Andrew Bartlett
|
|
|
|
It is not safe to have a system kadmin use our plugin if we do not
share the same libkrb5.
Andrew Bartlett
|
|
This will help users who are used to the kadmin interface, and could
be extended to import existing MIT or Heimdal keys into a Samba4 AD
domain.
To use, add to your krb5.conf
[kdc]
database = {
dbname = samba4:
}
or
[kdc]
database = {
dbname = samba4:/usr/local/samba/etc/smb.conf
}
And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
|
|
This avoids keeping the event context around on a the gensec_security
context structure long term.
In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Tue Oct 11 01:18:22 CEST 2011 on sn-devel-104
|
|
This sorts out the correct handling for the 'kvno=255'
problem. Windows will use the previous trust password for 1 hour after
a password set, and indicates that the previous password is being used
by sending current_kvno-1. That maps to 255 if the trust password has
not actually been changed, so the initial trust password is being
used.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the kdc should not be looking for users in GC partial replicas, as
these users do not have all of the attributes needed for the KDC to
operate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
windows sometimes sends us a kvno of 255 for inter-domain trusts. We
don't yet know why it does this, but it seems that we need to treat
this as an unspecified kvno
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the kdc doesn't want to find users who are in partialReplica
partitions, as they won't have the needed secret info for the kdc to
operate. We need to generate referrals instead
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the exact value doesn't matter, as both Samba and windows check
against the latest password, but the old default of -1 caused ASN.1
parsing errors on windows, which prevented it answering TGS requests
thanks to Hongwei Sun for finding this from a ttt trace
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
use ldb_get_default_basedn() with a subtree search
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
|
|
gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Aug 2 06:06:15 CEST 2011 on sn-devel-104
|
|
Windows seems to always canonicalize the principal in TGS replies.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jul 20 12:12:38 CEST 2011 on sn-devel-104
|
|
TODO: check why this is needed.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
|
|
As mit_samba_update_pac_data() doesn't support adding
S4U_DELEGATION_INFO to the pac (and I have no clue how to add that)
we should disable S4U2Proxy until this is implemented.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
|
|
metze
|
|
metze
|
|
metze
|
|
This fixes a few Coverity errors
|
|
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
|
|
|
|
when we need to listen on a wildcard address, we now listen on a list
of sockets, usually 0.0.0.0 and ::
|
|
metze
|
|
flags.trusted_for_delegation
metze
|
|
The iface_count, iface_n_bcast, and load_interfaces functions
conflicted with functions of the same name in source3, so the source4
functions were renamed. Hopefully we can actually wrap one around the
other in future.
Andrew Bartlett
|
|
|
|
This better reflects what this structure is
Andrew Bartlett
|
|
convert_string*()
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
|
|
|
|
By having kdc_tcp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_socket, kdc_process_fn_t, kdc_tcp_call and kdc_tcp_socket
private to kdc.c again.
metze
|
|
By having kdc_udp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_udp_call and kdc_udp_socket private to
kdc.c again.
metze
|
|
metze
|
|
Bit shifting is non-trivial in C:-)
This
int32_t a = 0x12340000;
uint32_t b = (a >> 16);
results in 0x00001234, but this
int32_t a = 0xEDCB0000;
uint32_t b = (a >> 16);
results in 0xFFFFEDCB, while we expected 0x0000EDCB.
metze
|
|
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
|
|
This context is used in ldb, and ldb modules apparently abort if nesting is not
allowed.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Feb 7 20:58:02 CET 2011 on sn-devel-104
|
|
otherwise msg->dn would be non-minimal and would fail in searches
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 24 12:09:00 CET 2010 on sn-devel-104
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
|
|
|
|
Discovered by Tru64 build
|
|
We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC. We should get
this from group policy, but for now it's parametric smb.conf options.
Andrew Bartlett
|
|
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
|