| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Move the core to pac-glue so that other plugins can use it.
|
|
The code was looping but always checking only the first address.
|
|
|
|
|
|
Keep all heimdal related plugin code within hdb_samba4.c
Move interfaces needed by multiple plugins in db-glue.c
Move sequence context in main db context so that we do
not depend on db->hdb_dbc in the common code.
Remove unnecessary paremeters from function prototypes
|
|
Renames hdb_samba4_private to samba_kdc_entry
Streamlines members of the entry and the kdc db contextto avoid
unnecessary duplication.
|
|
This allows to use a common structure not tied to hdb_samba4
Also allows to avoid many casts within hdb_samba4 functions
This is the first step to abstract samba kdc databse functions
so they can be used by the MIT forthcoming plugin.
|
|
Keep all heimdal related plugin code within wdc-samba4.c
Leave only interfaces common to multiple plugins in pac-glue.c
|
|
|
|
Split functions so that no assumption is made about which plugin
is using them
|
|
First step, preparing to share the code between multiple plugins.
|
|
|
|
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
metze
|
|
metze
|
|
metze
|
|
|
|
|
|
metze
|
|
metze
|
|
|
|
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The change to use a common system_session broke replication as the KDC
forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared
with other parts of the system.
This should be fixed once we confirm whether the ldap backend actually
relies on CRED_DONT_USE_KERBEROS
|
|
metze
|
|
|
|
Using common parameters means that the ldb_wrap code can return a
reference rather than a new database
|
|
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
|
|
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
|
|
This reverts commit 11a8a54c825a52d7dd6ab78bc7aeff2d719327d2.
The actual fix for bug 6801 is in hdb_end_seq_get() - this attempt
leaks 'db' instead.
Andrew Bartlett
|
|
"db" is freed anyway after the destructor terminates so this does really make
no sense here (rather it makes code crash).
Should fix bug #6801.
|
|
|
|
When one of our core tasks fails to initialise it can now ask for the
server as a whole to die, rather than limping along in a degraded
state.
|
|
don't fail hdb operations if one of the key types is unknown
|
|
This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address. It seems easiser not to. (Found by testing with NetAPP at
plugfest)
Andrew Bartlett
|
|
|
|
This is a small start on (ie, the only trivial part of) the work shown in:
http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences
(a table of all Kerberos symbols used in Samba4, and notes on where
they differ from those provided with MIT Kerberos)
Andrew Bartlett
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
|
|
This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f.
This breaks the build...
Andrew, please repush it, when it's fixed:-)
metze
|
|
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
|
|
This overloads the 'name' part of the keytab name to supply a context
pointer, and so avoids 3 global variables!
To do this, we had to stop putting the entry for kpasswd into the
secrets.ldb. (I don't consider this a big loss, and any entry left
there by an upgrade will be harmless).
Andrew Bartlett
|
|
This removes the last use of the prefix hdb_ldb and makes it clear
that we pass in 3 global variables to get state information into
hdb_samba4 when used as a keytab. (And that they belong to
hdb_samba4, not to the KDC)
Andrew Bartlett
|
|
To do this properly, we must use the PAC, but for now this is enough
to check that we are delegating to another name on the same host
(which must be safe).
(Windows 7 does this a lot, also noted in bug 6273)
Andrew Bartlett
|
|
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case. Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.
Andrew Bartlett
|
