summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2007-12-21r26325: Remove use of global_loadparm in netif.Jelmer Vernooij1-3/+3
(This used to be commit e452cb28594f23add7c00247ed39e8323aea78a6)
2007-12-21r26316: Use contexts for conversion functions.Jelmer Vernooij1-1/+1
(This used to be commit f6420d933b5b011d428974f3a2a57edf19e6f482)
2007-12-21r26314: Eliminate use of global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit aa98a1781c76b352494e65fbc87629fe544c1f73)
2007-12-21r26313: Fix more uses of static loadparm.Jelmer Vernooij1-2/+6
(This used to be commit 6fd0d9d3b75546d08c24c513e05b1843d5777608)
2007-12-21r26277: Move loadparm context higher up the stack.Jelmer Vernooij1-1/+1
(This used to be commit 38fa08310ce573e9b46e76c840ddda6f18863573)
2007-12-21r26274: Some syntax fixes, remove more global_loadparm instances.Jelmer Vernooij2-2/+5
(This used to be commit 3809113d86dbd35b906356a05bb481a1e2bfe4b7)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-1/+1
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r26252: Specify loadparm_context explicitly when creating sessions.Jelmer Vernooij3-4/+6
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-21r26237: Add loadparm context to the server service interface.Jelmer Vernooij1-0/+1
(This used to be commit 1386c5c92505a950c65411b8af74d703ce023f95)
2007-12-21r26233: Pass loadparm context when creating krb5 contexts.Jelmer Vernooij1-1/+1
(This used to be commit 7780bf285fdfc30f89409d0436bad0d4b6de5cd4)
2007-12-21r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij1-5/+5
global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij2-3/+3
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+1
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher2-13/+17
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-12-21r25789: print out what error happened...Stefan Metzmacher1-1/+1
metze (This used to be commit cca080f53040c84753050a1a82b8cd93e33ca693)
2007-10-10r25548: Convert to standard bool type.Jelmer Vernooij2-37/+37
(This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-10r25430: Add the loadparm context to all parametric options.Jelmer Vernooij1-1/+1
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij2-4/+5
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25035: Fix some more warnings, use service pointer rather than service ↵Jelmer Vernooij1-1/+1
number in more places. (This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij2-0/+2
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r25001: Fix more C++ and other warnings, fix some of the indentation with ↵Jelmer Vernooij1-4/+4
ts=4 lines that I accidently added earlier. (This used to be commit 0bcb21ed740fcec0f48ad36bbc2deee2948e8fc7)
2007-10-10r25000: Fix some more C++ compatibility warnings.Jelmer Vernooij1-1/+2
(This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-10-10r24712: No longer expose the 'BOOL' data type in any interfaces.Jelmer Vernooij1-1/+1
(This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae)
2007-10-10r24613: Missed this in my recent commit -r 24611. We don't discriminate onAndrew Bartlett1-2/+0
where the password change came from, to determine if policy should be applied. We discriminate on if the account is a trust account. Andrew Bartlett (This used to be commit 48fd2889571b10a6057b9e271860e4951fc85c8b)
2007-10-10r24061: Anther part of bug #4823, which is that until now Samba4 didn't parseAndrew Bartlett1-26/+3
the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell4-12/+8
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r23503: use hdb_dbc not hdb_openp.Andrew Bartlett1-8/+7
Andrew Bartlett (This used to be commit 3a21304de04fa20198d5a863ffd0804a308dccb9)
2007-10-10r23488: hdb_openp has changed from void * to int...Stefan Metzmacher1-4/+5
lha: what is the reason for this? it's really bad to use an int for storing a pointer value... metze (This used to be commit 625a6598566761121f16e47e88bdd0fbb0f2846c)
2007-10-10r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett1-15/+16
Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
2007-10-10r22969: fix some more places where we could end up with more than one eventAndrew Tridgell1-1/+1
context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17)
2007-10-10r22762: Some ldb_map changes:Jelmer Vernooij1-2/+2
* Change license to LGPL, so it can be used by non-Samba users of LDB (cleared with Martin as well). * Include ldb_map in standalone build. * Move ldb_map to its own directory (This used to be commit a90202abca26c0da5425a2f3dd8494077c3290fd)
2007-10-10r22403: this dependencies should be privateStefan Metzmacher1-2/+2
metze (This used to be commit c3cc03ffb290cb7c1eba51e98c52e5e7c1aba5fb)
2007-10-10r21441: create a union for the PrimaryKerberosBlob contentStefan Metzmacher1-13/+23
so that ndr_pull will fail if version isn't 3 and we notice if the format changes... metze (This used to be commit 91f7a094cfd04405c224b9579146d814cba507b3)
2007-10-10r21434: - get rid of "krb5Key"Stefan Metzmacher1-49/+132
- use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
2007-10-10r21390: move fetching the key version number into the functionStefan Metzmacher1-2/+2
which contrusts the keys... later we need to get the key version number from the "replPropertyMetaData" attribute entry to the (I assume) the "unicodePwd" attribute. msDs-KeyVersionNumber is a constructed attribute, and is "1" when no "supplementalCredentials" is present. we need to make some tests with a password change function which don't give a cleartext to the server... metze (This used to be commit 9e4324221764c1413be34d5b14915a86740acc04)
2007-10-10r21363: fallback to fetch the KEYTYPE_ARCFOUR out of the "unicodePwd" attributeStefan Metzmacher1-38/+86
when no krb5key attribute is present or it doesn't contain the KEYTYPE_ARCFOUR key. metze (This used to be commit b4af29da700a71fe021c5f31cad31a494d884e07)
2007-10-10r21330: move fetching of krb5 keys into its own functionStefan Metzmacher1-47/+66
metze (This used to be commit 0f1eb00b418eabef5881f94d8df2b4d61f1dc1ef)
2007-10-10r20988: Call out to Heimdal's krb5.conf processing to configure many aspectsAndrew Bartlett1-22/+19
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
2007-10-10r20661: the golden rule: "make things private if possible!"Stefan Metzmacher1-1/+1
fix 'make install' because no entry was in the headermap metze (This used to be commit 2a9d6d381d991977be10b525c88fb279237bafd9)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett6-265/+153
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.Andrew Bartlett1-0/+25
The reason is long and complex, but is due to forwardable tickets: We would extract the forwardable ticket from the GSSAPI payload, and look for the expiry time of the ticket for krbtgt/REALM@REALM. However, with -r 19662 the ticket is given to the client as being for krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is case sensitive for realms, and bails out. (It should just not store the forwarded ticket). We need to co-ordinate changes in the KDC with relaxation of checks in Heimdal, and a better kerberos behaviour testsuite. Andrew Bartlett (This used to be commit be4c1a36b0e31cbb680d55e8d933818dc3c7435b)
2007-10-10r20152: Commit missing files from last night's commit. We no longer maintainAndrew Bartlett1-2/+1
a distinction between PDC and BDC in the configuration files, only as an entry in the ldb. Andrew Bartlett (This used to be commit dc9eee7cb37e4a6828c2cba23b0d836df9eac7b5)
2007-10-10r20034: Start using ldb_search_exp_fmt()Simo Sorce1-12/+6
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce2-3/+3
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce1-10/+14
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19664: fix compiler warnings...Stefan Metzmacher2-19/+19
should _krb5_find_type_in_ad() also take a const? metze (This used to be commit addc31bd9309cb2b41cbb548c82c80de1cf96c4f)
2007-10-10r19662: windows 2003 kdc's only rewrite the realm to the full form,Stefan Metzmacher1-27/+1
when the client is using the netbios domain name as realm. we should match this and not rewrite the principal. This matches what windows give: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4 administrator@SERNOXDOM4's Password: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist Credentials cache: FILE:/tmp/krb5cc_10000 Principal: administrator@SERNOXDOM4.MX.BASE Issued Expires Principal Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE Note: I need to disable the principal checks in heimdal's _krb5_extract_ticket() for the kinit to work. Any ideas how to change heimdal to support this. For the service principal we should use the realm and principal in req->kdc_rep.enc_part instead of the unencrypted req->kdc.ticket.sname and req->kdc.ticket.realm to have a trusted value. I'm not sure what we can do with the client realm... metze (This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
2007-10-10r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett5-12/+26
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett2-0/+5
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19299: Fix possible memleaksSimo Sorce1-4/+1
(This used to be commit 6fad80bb09113a60689061a2de67711c9924708b)