summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2011-07-26s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is givenStefan Metzmacher1-2/+7
Windows seems to always canonicalize the principal in TGS replies. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
2011-07-20s4:kdc: restore the behavior before the last heimdal importStefan Metzmacher1-8/+16
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jul 20 12:12:38 CEST 2011 on sn-devel-104
2011-07-15s4:kdc: set *_strongest_*_key to true to restore the old behaviorStefan Metzmacher1-0/+13
TODO: check why this is needed. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
2011-06-28s4:kdc/mit_samba: disable mit_samba_check_s4u2proxy()Stefan Metzmacher1-0/+9
As mit_samba_update_pac_data() doesn't support adding S4U_DELEGATION_INFO to the pac (and I have no clue how to add that) we should disable S4U2Proxy until this is implemented. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
2011-06-28s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher4-7/+155
metze
2011-06-28s4:kdc: use KRB5_WINDC_PLUGIN_MINOR define instead of KRB5_WINDC_PLUGING_MINORStefan Metzmacher1-1/+1
metze
2011-06-24s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher1-0/+105
metze
2011-06-20Use tevent_req_oomVolker Lendecke1-1/+1
This fixes a few Coverity errors
2011-06-20libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett1-2/+2
The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
2011-06-06s4-ipv6: update callers to load_interface_list()Andrew Tridgell1-1/+1
2011-06-06s4-ipv6: use iface_list_wildcard() to listen on IPv6Andrew Tridgell1-12/+17
when we need to listen on a wildcard address, we now listen on a list of sockets, usually 0.0.0.0 and ::
2011-05-18s4:kdc: split s4u2self and s4u2proxy checksStefan Metzmacher4-23/+55
metze
2011-05-18s4:kdc: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION => ↵Stefan Metzmacher1-0/+14
flags.trusted_for_delegation metze
2011-05-08s4-interfaces Rename interfaces code so not to conflict with source3/Andrew Bartlett1-4/+4
The iface_count, iface_n_bcast, and load_interfaces functions conflicted with functions of the same name in source3, so the source4 functions were renamed. Hopefully we can actually wrap one around the other in future. Andrew Bartlett
2011-04-05kdc: always ldb escape the realmAndrew Bartlett1-1/+11
2011-03-25lib/util/charset rename iconv_convenience to iconv_handleAndrew Bartlett1-2/+2
This better reflects what this structure is Andrew Bartlett
2011-03-24charcnv: removed the allow_badcharcnv and allow_bad_conv options to ↵Andrew Tridgell1-2/+2
convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
2011-03-19source4/kdc: Fix prototypes for all functions.Jelmer Vernooij6-1/+13
2011-03-04s4:kdc: split the kdc_tcp_proxy() logic from the main kdc logicStefan Metzmacher3-252/+303
By having kdc_tcp_proxy_send/recv(), which just asks any writeable dc for a reponse blob, we simplify the interaction between client-local and local-writeable sockets. This allows us to make kdc_socket, kdc_process_fn_t, kdc_tcp_call and kdc_tcp_socket private to kdc.c again. metze
2011-03-04s4:kdc: split the kdc_udp_proxy() logic from the main kdc logicStefan Metzmacher3-207/+231
By having kdc_udp_proxy_send/recv(), which just asks any writeable dc for a reponse blob, we simplify the interaction between client-local and local-writeable sockets. This allows us to make kdc_udp_call and kdc_udp_socket private to kdc.c again. metze
2011-03-04s4:kdc: add a kdc_proxy_unavailable_error() helper functionStefan Metzmacher1-0/+24
metze
2011-03-04s4:kdc: fix calculation of the rodc kvnoStefan Metzmacher1-4/+12
Bit shifting is non-trivial in C:-) This int32_t a = 0x12340000; uint32_t b = (a >> 16); results in 0x00001234, but this int32_t a = 0xEDCB0000; uint32_t b = (a >> 16); results in 0xFFFFEDCB, while we expected 0x0000EDCB. metze
2011-02-18s4-auth: rename 'auth' subsystem to 'auth4'Andrew Tridgell1-5/+5
this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell1-1/+1
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2-15/+16
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-07mit-samba: Allow nesting on the event contextSimo Sorce1-0/+3
This context is used in ldb, and ldb modules apparently abort if nesting is not allowed. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Feb 7 20:58:02 CET 2011 on sn-devel-104
2011-01-14s4-kdc: don't ask for an extended DN for krbtgt_dnAndrew Tridgell1-1/+1
otherwise msg->dn would be non-minimal and would fail in searches Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-24Typo fix in KDC parameters.Brad Hards1-3/+3
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 24 12:09:00 CET 2010 on sn-devel-104
2010-12-12s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer8-44/+2
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
2010-12-12s4:kdc/proxy.c - optimise includes in order to fix a build warning on Tru64Matthias Dieter Wallnöfer1-6/+1
2010-12-12s4:kdc/kpasswdd.c - don't return an uninitialised NT_STATUSMatthias Dieter Wallnöfer1-2/+1
Discovered by Tru64 build
2010-12-09s4-lsa Implement kerberos ticket life policyAndrew Bartlett5-3/+108
We now no longer print tickets with a potentially infinite life, and we report the same life over LSA as we use in the KDC. We should get this from group policy, but for now it's parametric smb.conf options. Andrew Bartlett
2010-12-04s4:kdc/kpasswdd.c - fix memory leaksMatthias Dieter Wallnöfer1-2/+15
2010-12-03s4/kdc - fix a warning regarding a changed parameter type (kvno)Matthias Dieter Wallnöfer3-3/+3
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
2010-12-01s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett2-21/+6
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
2010-11-29s4-loadparm: use loadparm_init_global() instead of loadparm_init()Andrew Tridgell1-1/+1
this prevents us having two lp_ctx contexts in these tools which leads to bizarre behaviour Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-16s4-kdc Rework supported encryption type logic to match MicrosoftAndrew Bartlett1-37/+16
Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
2010-11-16s4-kdc Fix the realm handling again, this time pay attention to the flagsAndrew Bartlett1-20/+20
The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
2010-11-16s4-kdc use 'flags' to only create the 'admin data' elements when requestedAndrew Bartlett1-15/+19
This avoids setting these values when the caller simply does not care Andrew Bartlett
2010-11-16s4-kdc Add 'flags' parameter to db fetch callsAndrew Bartlett1-8/+35
This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett
2010-11-15s4-kdc Don't regenerate the PAC for cross-realm ticketsAndrew Bartlett1-0/+3
We should never get a cross-realm ticket that was not issued by a full DC, but if someone claims to have such a thing, reject it rather than segfaulting on the NULL client pointer. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
2010-11-15s4-kdc Don't always regenerate the PACAndrew Bartlett1-2/+4
The PAC was being regenerated on all normal DCs, because they don't have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check if it's set and not equal to our RODC number, allowing RODCs to trust the full DCs and itself, but not other RODCs. Andrew Bartlett
2010-11-15s4-kdc Fix realm handling in our KDCAndrew Bartlett1-38/+6
we should reset the realm part of the principal, but not the lowercase realm embedded in the 'krbtgt/realm@REALM'. Andrew Bartlett
2010-11-15kdc: Build as shared module by default.Jelmer Vernooij1-0/+1
2010-11-15s4-kdc update startup routines after heimdal updateAndrew Bartlett1-1/+13
We should check the errors from krb5_kdc_windc_init and we now need to additionally run krb5_kdc_pkinit_config() Andrew Bartlett
2010-11-15s4-kdc Remove use of heimdal private headers in kpasswd server.Andrew Bartlett1-16/+3
This remains an abuse, because it relies on setting into the krb5_principal structure, but at least it causes less trouble for the server. Andrew Bartlett
2010-11-15s4-kdc: if "bind interfaces only" is false, then also listen on wildcardAndrew Tridgell1-20/+44
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 15 00:13:59 UTC 2010 on sn-devel-104
2010-11-14Build wrepl server as service by default.Jelmer Vernooij1-1/+1
2010-11-12s4-kdc: added proxying of kdc requests for RODCsAndrew Tridgell5-66/+782
when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODCAndrew Bartlett1-1/+7
This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett