summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2010-10-17Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer2-0/+2
in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer2-2/+0
"dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett1-1/+1
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-11s4-kerberos Remove unused parameterAndrew Bartlett1-1/+0
2010-10-11kdc: Add missing dependency on samba_gensec_server.Jelmer Vernooij1-1/+1
2010-10-10samdb: Add flags argument to samdb_connect().Jelmer Vernooij2-4/+4
2010-10-05s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer2-4/+4
It doesn't change much but it's nicer to have it consistent.
2010-10-05Add missing dependencies for com_err.Jelmer Vernooij1-9/+9
2010-10-05heimdal: Fix name of kdc library.Jelmer Vernooij1-1/+1
2010-10-05heimdal: Fix name of 'hdb'.Jelmer Vernooij1-11/+11
2010-10-03s4:kdc/db-glue.c - remove unused variableMatthias Dieter Wallnöfer1-1/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 3 17:30:34 UTC 2010 on sn-devel-104
2010-10-03s4-kdc Remove special case kerberos restriction in the KDCAndrew Bartlett1-16/+0
We should avoid using Kerberos or any other recursive auth mechanism in ldb backends, but denying Kerberos here won't be enough, so remove the special case. (Typcially we bind using a different password space and DIGEST-MD5 or NTLM). Andrew Bartlett
2010-10-03s4-kdc Fix up after import of new lorikeet-heimdalAndrew Bartlett2-4/+19
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Oct 3 01:56:04 UTC 2010 on sn-devel-104
2010-10-02s4-kdc Rework 'allowed encryption types' handling in the KDCAndrew Bartlett1-28/+44
All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett
2010-09-28s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett1-5/+24
the krbtgt role). Andrew Bartlett
2010-09-29s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett6-37/+83
This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
2010-09-29s4-kdc Add common setup, handle RODC setup caseAndrew Bartlett5-73/+156
This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-29s4-kdc Add function to determine if a hdb entry is a RODCAndrew Bartlett2-0/+18
This is important, as we must ignore the PAC from an RODC. Andrew Bartlett
2010-09-29s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett1-1/+18
Andrew Bartlett
2010-09-27s4-kdc: added ifdef guards in kdc.hAndrew Tridgell1-0/+5
this prevents too much recursion in the compiler preprocessor
2010-09-16s4-kdc: prevent segfault on bad trust stringsAndrew Tridgell1-4/+8
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.Günther Deschner1-7/+7
Also remove bogus trustCurrentPasswords struct which we just had because our IDL was incorrect. Guenther
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-3/+3
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-3/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:kdc/kpasswdd.c - let the user change his own password with his own rightsMatthias Dieter Wallnöfer1-3/+44
Now it's finally possible that the user can change his password with a DSDB connection using his credentials. NOTICE: I had to extract the old password from the SAMDB since I was unable to find it somewhere else (authinfo for example).
2010-08-17s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform ↵Matthias Dieter Wallnöfer1-1/+1
password sets
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell5-23/+23
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-29s4:kdc Rework the 'allowed enc types' calculationAndrew Bartlett1-41/+35
This changes the calculation to apply the allowed enc types to all uses of the key (no point allowing a weak kinit to a key the server wanted strongly protected). It also ensures that all the non-DES keys are available on the krbtgt in particular, even as it does not have a msds-SupportedEncryptionTypes attributes. Andrew Bartlett
2010-06-26s4:kdc/kdc.c - add cast to suppress warnings on Solaris 10 ccMatthias Dieter Wallnöfer1-2/+2
2010-06-26s4:kdc/kpasswdd.c - remove unreachable codeMatthias Dieter Wallnöfer1-2/+0
2010-06-23Per Andrews request, revertJelmer Vernooij1-2/+0
"heimdal/waf: Initial work on making it possible to use the system" as the hdb_check_s4u2self function handling is incorrect. This reverts commit b099631f428d0ecc641d59bd3c94674e6348dde9.
2010-06-23s4:kdc Use msDS-SupportedEncTypes in our KDCAndrew Bartlett1-30/+54
We need to honour this, otherwise we will send AES-encrypted tickets to unprepared Kerberos targets. Andrew Bartlett
2010-06-20s4:kdc/db-glue.c - remove unreachable codeMatthias Dieter Wallnöfer1-4/+0
Would be nice if someone could check if this fits.
2010-06-19heimdal/waf: Initial work on making it possible to use the systemJelmer Vernooij1-0/+2
heimdal again. Still missing are the detection of the right Heimdal version and linking (unresolved symbols at the moment).
2010-05-28s4:kdc Remove special talloc_free of the ldb contextAndrew Bartlett2-11/+1
I can see no reason not to just let this go with the talloc tree that created it, and avoid a talloc_free with references. Andrew Bartlett
2010-05-18Remove more usages of iconv_convenience in files which were apparently not ↵Jelmer Vernooij1-1/+0
recompiled by waf.
2010-05-18s3: Remove use of iconv_convenience.Jelmer Vernooij4-6/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij3-17/+10
2010-05-10s4:samdb_set_password/samdb_set_password_sid - ReworkMatthias Dieter Wallnöfer1-31/+4
Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2010-04-27Simple fix to prevent crash for non-pac principalsMarcel Ritter1-0/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-04-17s4:kdc/db-glue.c - use "TALLOC_FREE" insteal of "talloc_free" for the "priv" ↵Matthias Dieter Wallnöfer1-5/+5
context Also after a free "priv" could be != NULL and may be freed again. This should fix bug #7365.
2010-04-12s4:kdc/wdc-samba4.c - fix integer counter typesMatthias Dieter Wallnöfer1-1/+2
2010-04-12s4:kdc/db-glue.c - fix integer counter typesMatthias Dieter Wallnöfer1-6/+7
2010-04-10s4:kdc Add functions to hdb-samba4 for the new s4u2self callback.Andrew Bartlett4-18/+21
For now, this shares the 'if it's the same host' system with the constrained delegation code. Andrew Bartlett
2010-04-06s4-waf: mark the wscript files as python so vim/emacs knows how to highlight ↵Andrew Tridgell1-0/+2
them
2010-04-06build: waf quicktest nearly worksAndrew Tridgell1-5/+6
Rewrote wafsamba using a new dependency handling system, and started adding the waf test code
2010-04-06build: commit all the waf build files in the treeAndrew Tridgell1-0/+53
2010-03-25s4:kdc Add support for changing password of a servicePrincipalNameAndrew Bartlett1-10/+32
Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-02-26s4-kdc: Fixed the memory context of tstream_bsd_existing()Andreas Schneider1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>