summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2010-11-16s4-kdc Rework supported encryption type logic to match MicrosoftAndrew Bartlett1-37/+16
Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
2010-11-16s4-kdc Fix the realm handling again, this time pay attention to the flagsAndrew Bartlett1-20/+20
The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
2010-11-16s4-kdc use 'flags' to only create the 'admin data' elements when requestedAndrew Bartlett1-15/+19
This avoids setting these values when the caller simply does not care Andrew Bartlett
2010-11-16s4-kdc Add 'flags' parameter to db fetch callsAndrew Bartlett1-8/+35
This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett
2010-11-15s4-kdc Don't regenerate the PAC for cross-realm ticketsAndrew Bartlett1-0/+3
We should never get a cross-realm ticket that was not issued by a full DC, but if someone claims to have such a thing, reject it rather than segfaulting on the NULL client pointer. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
2010-11-15s4-kdc Don't always regenerate the PACAndrew Bartlett1-2/+4
The PAC was being regenerated on all normal DCs, because they don't have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check if it's set and not equal to our RODC number, allowing RODCs to trust the full DCs and itself, but not other RODCs. Andrew Bartlett
2010-11-15s4-kdc Fix realm handling in our KDCAndrew Bartlett1-38/+6
we should reset the realm part of the principal, but not the lowercase realm embedded in the 'krbtgt/realm@REALM'. Andrew Bartlett
2010-11-15kdc: Build as shared module by default.Jelmer Vernooij1-0/+1
2010-11-15s4-kdc update startup routines after heimdal updateAndrew Bartlett1-1/+13
We should check the errors from krb5_kdc_windc_init and we now need to additionally run krb5_kdc_pkinit_config() Andrew Bartlett
2010-11-15s4-kdc Remove use of heimdal private headers in kpasswd server.Andrew Bartlett1-16/+3
This remains an abuse, because it relies on setting into the krb5_principal structure, but at least it causes less trouble for the server. Andrew Bartlett
2010-11-15s4-kdc: if "bind interfaces only" is false, then also listen on wildcardAndrew Tridgell1-20/+44
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 15 00:13:59 UTC 2010 on sn-devel-104
2010-11-14Build wrepl server as service by default.Jelmer Vernooij1-1/+1
2010-11-12s4-kdc: added proxying of kdc requests for RODCsAndrew Tridgell5-66/+782
when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODCAndrew Bartlett1-1/+7
This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett
2010-11-12s4-kdc: split the kdc process return into a tri-stateAndrew Tridgell3-53/+59
this is in preparation for doing forwarding of packets for RODCs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-12s4-kdc: we don't need the special include handling nowAndrew Tridgell1-6/+0
the special handling was to cope with the conflict with the kdc.h header Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-12s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.hAndrew Tridgell6-5/+5
kdc.h conflicts with a heimdal header name
2010-11-07credentials: Lowercase library name,Jelmer Vernooij1-9/+9
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Nov 7 01:48:44 UTC 2010 on sn-devel-104
2010-10-31s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij2-88/+0
The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-30s4-smbd: don't initialise process models more than onceAndrew Tridgell1-1/+1
this also removes the event_context parameter from process model initialisation. It isn't needed, and is confusing when a process model init can be called from more than one place, possibly with different event contexts. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30s4-kdc: create a 'pac' private grouping libraryAndrew Tridgell1-0/+6
this removes the final case where we have an object file linked into two libraries Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-26waf: Stop automaticaly changing dashes to underscores in library names.Jelmer Vernooij1-9/+9
2010-10-26waf: Remove lib prefix from libraries manually.Jelmer Vernooij1-6/+6
2010-10-24s4: Rename DB_GLUE to db_glue.Jelmer Vernooij1-4/+4
2010-10-24s4: Rename LIBSAMBA-* to libsamba-*Jelmer Vernooij1-6/+6
2010-10-21s4-kdc: make DB_GLUE a private libraryAndrew Tridgell1-2/+3
2010-10-18s4:"util_ldb" - remove some really unused dependanciesMatthias Dieter Wallnöfer1-1/+0
2010-10-17Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer2-0/+2
in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer2-2/+0
"dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-11s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett1-1/+1
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-11s4-kerberos Remove unused parameterAndrew Bartlett1-1/+0
2010-10-11kdc: Add missing dependency on samba_gensec_server.Jelmer Vernooij1-1/+1
2010-10-10samdb: Add flags argument to samdb_connect().Jelmer Vernooij2-4/+4
2010-10-05s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer2-4/+4
It doesn't change much but it's nicer to have it consistent.
2010-10-05Add missing dependencies for com_err.Jelmer Vernooij1-9/+9
2010-10-05heimdal: Fix name of kdc library.Jelmer Vernooij1-1/+1
2010-10-05heimdal: Fix name of 'hdb'.Jelmer Vernooij1-11/+11
2010-10-03s4:kdc/db-glue.c - remove unused variableMatthias Dieter Wallnöfer1-1/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 3 17:30:34 UTC 2010 on sn-devel-104
2010-10-03s4-kdc Remove special case kerberos restriction in the KDCAndrew Bartlett1-16/+0
We should avoid using Kerberos or any other recursive auth mechanism in ldb backends, but denying Kerberos here won't be enough, so remove the special case. (Typcially we bind using a different password space and DIGEST-MD5 or NTLM). Andrew Bartlett
2010-10-03s4-kdc Fix up after import of new lorikeet-heimdalAndrew Bartlett2-4/+19
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Oct 3 01:56:04 UTC 2010 on sn-devel-104
2010-10-02s4-kdc Rework 'allowed encryption types' handling in the KDCAndrew Bartlett1-28/+44
All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett
2010-09-28s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett1-5/+24
the krbtgt role). Andrew Bartlett
2010-09-29s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett6-37/+83
This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
2010-09-29s4-kdc Add common setup, handle RODC setup caseAndrew Bartlett5-73/+156
This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-29s4-kdc Add function to determine if a hdb entry is a RODCAndrew Bartlett2-0/+18
This is important, as we must ignore the PAC from an RODC. Andrew Bartlett
2010-09-29s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett1-1/+18
Andrew Bartlett
2010-09-27s4-kdc: added ifdef guards in kdc.hAndrew Tridgell1-0/+5
this prevents too much recursion in the compiler preprocessor
2010-09-16s4-kdc: prevent segfault on bad trust stringsAndrew Tridgell1-4/+8
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.Günther Deschner1-7/+7
Also remove bogus trustCurrentPasswords struct which we just had because our IDL was incorrect. Guenther