summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11525: Move lookups (including the attribute search) for users fromAndrew Bartlett1-43/+22
kdc/hdb-ldb.c to share the routines used for auth/ This will require keeping the attribute list in sync, but I think it is worth it for the next steps (sharing the server_info generation). Andrew Bartlett (This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
2007-10-10r11524: More work on our hdb backend in the KDC.Andrew Bartlett1-116/+78
The aim here is to restructure the queries to match the queries we do in auth, then to share the code that does the actual query (at least for user logins). Then we can generate the PAC from that shared query, rather than a seperate query. Andrew Bartlett (This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
2007-10-10r11437: Fix (valid!) use of uninitialised value warnings.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 64b9ea642bb7443f804e71bb2a6ccad94522d057)
2007-10-10r11382: Require number of required M4 macrosJelmer Vernooij1-5/+1
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM Add some more PUBLIC_HEADERS (This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
2007-10-10r11333: Push service principal lookups into the cracknames code, rather thanAndrew Bartlett1-166/+92
in the hdb-ldb code. Andrew Bartlett (This used to be commit f71149c88d9648f5b2b1d1480dc8d45c551b0231)
2007-10-10r11322: Start moving towards using the cracknames code in the KDC.Andrew Bartlett1-26/+70
Andrew Bartlett (This used to be commit cf67af421686e7a89334e10296a3a07c1f8f6298)
2007-10-10r11321: Fix typos in warnings.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 81f020d3a4982842b770b9eeb82851cf2cd35fe2)
2007-10-10r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.Andrew Bartlett1-9/+5
I'm sure this will not be the final resting place, but it will do for now. Use the cracknames code in auth/ for creating a server_info given a principal name only (should avoid assumtions about spliting a user@realm principal). Andrew Bartlett (This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij2-336/+336
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11241: - fix compiler warningStefan Metzmacher1-2/+2
- fix comment metze (This used to be commit 4f999625a164e58b87d915bbb2914038ea96162a)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett4-97/+674
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-2/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11206: It appears to me that any account may operate as a server.Andrew Bartlett1-1/+5
Andrew Bartlett (This used to be commit 3b6c9c7cbc1d5c4dd32d3c1db18ddbccbb8cf17a)
2007-10-10r11106: Make the KDC handler plugable, as I want to drop kpasswdd into exactlyAndrew Bartlett1-16/+34
the same spot (it has identical TCP sementics). Andrew Bartlett (This used to be commit 84d6118e8762608af0945279d80ad0f898e693d9)
2007-10-10r10987: add support for tcp kdc requestsStefan Metzmacher2-34/+271
metze (This used to be commit 4c4f19cc23d256c600819e8b0fddc7734b97e131)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-1/+1
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10586: Add MergedObject() builder. Default to Library() ratherJelmer Vernooij1-1/+1
then StaticLibrary() (This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
2007-10-10r10562: Ensure we initalise the error table with hdb errors. This ensures weAndrew Bartlett2-0/+3
get good text error strings. Andrew Bartlett (This used to be commit 0600202067c00dd5d5d8be2d6559f66b46108f07)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij1-0/+2
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10157: Remove the last traces of heimdal/include.James Peach1-1/+1
(This used to be commit 651249010725196702a8a2ed0cba65039aa2f08d)
2007-10-10r10066: This is the second in my patches to work on Samba4's kerberos support,Andrew Bartlett1-8/+3
with an aim to make the code simpiler and more correct. Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over all keytypes)' code in gensec_krb5, we now follow the approach used in gensec_gssapi, and use a keytab. I have also done a lot of work in the GSSAPI code, to try and reduce the diff between us and upstream heimdal. It was becoming hard to track patches in this code, and I also want this patch (the DCE_STYLE support) to be in a 'manageable' state for when lha considers it for merging. (metze assures me it still has memory leak problems, but I've started to address some of that). This patch also includes a simple update of other code to current heimdal, as well as changes we need for better PAC verification. On the PAC side of things we now match windows member servers by checking the name and authtime on an incoming PAC. Not generating these right was the cause of the PAC pain, and so now both the main code and torture test validate this behaviour. One thing doesn't work with this patch: - the sealing of RPC pipes with kerberos, Samba -> Samba seems broken. I'm pretty sure this is related to AES, and the need to break apart the gss_wrap interface. Andrew Bartlett (This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2007-10-10r9931: Make use of new 'norealm' parsing functions rather than strchr(p '@').Andrew Bartlett1-11/+15
Merge these norealm functions from lorikeet-heimdal. Andrew Bartlett (This used to be commit 6aef275efd7f434f65824eb3dd129c8e5efd8731)
2007-10-10r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinkingJelmer Vernooij1-1/+1
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m! (This used to be commit 200a8f6652cb2de7a8037a7a4c2a204b50aee2b1)
2007-10-10r9648: this fixes the krb5 based login with the pac. The key to this whole ↵Andrew Tridgell2-9/+12
saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. (This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
2007-10-10r9392: Fix ldb_dn_compose to make build farm happySimo Sorce1-3/+2
Add ldb_dn_string_compose so that you can build a dn starting from a struct ldb_dn base and a set of parameters to be composed in a format string with the same syntax of printf (This used to be commit 31c69d0655752cc8ea3bc5b7ea87792291302091)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce1-27/+35
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r9310: Add two missing return statements after null pointer checks to fix ↵Steve French1-0/+2
potential oops in kdc code. Found by coverity. (This used to be commit 3b707b928969c87ac7e9948a567a3ebbc754f28c)
2007-10-10r9235: Remove attribute search we no longer reference.Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit cf8bf1e9f3d771fb3ea14949cd6963c3e9ac6c2d)
2007-10-10r9170: fix crash bugStefan Metzmacher1-2/+3
metze (This used to be commit 232b04bf3e5ff185cf8c6401a19960afd42b5d6c)
2007-10-10r9084: 'resign' the sample PAC for the validation of the signature algorithms.Andrew Bartlett1-1/+1
If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9)
2007-10-10r8586: register the kdc with irpc so we can tell that it is upAndrew Tridgell1-0/+3
(This used to be commit 093bbae1c391a999131f249b3aa9a9e3ce99a555)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell2-4/+7
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8511: This 'can't happen', but GCC gives warnings because it thinks it can.Andrew Bartlett1-2/+6
Andrew Bartlett (This used to be commit 40088b9566e8f63897958fc99d99dedb38e0cb69)
2007-10-10r8363: - we need to correct the realm for the krbtgt/NETBIOSDOMAINREALMStefan Metzmacher1-7/+24
into krbtgt/DNS.DOMAIN.REALM too with this a windows client asks for the correct ticket when you try to login (but it's still not working correct, as some how we mess up the dns host name of the client and it asks for the wrong service principal) - fix some compiler wranings - fix some debug messages metze (This used to be commit c4c93eeec20ceb062d37f392139a5ef8bbb626f5)
2007-10-10r8249: Clarify (with a comment) why we are playing these games here.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 33dcbe938df532e63b9c02c2b6cef11090021481)
2007-10-10r8181: Allow host/foo.realm/realm@REALM requests, assuming that the realmAndrew Bartlett1-1/+9
forms both differ only in case. We may need a better solution than this later. Andrew Bartlett (This used to be commit a0ad13f5bceb17c1b856548825e5509921b409f0)
2007-10-10r8161: Update Samba4 for the new Heimdal update.Andrew Bartlett2-2/+2
Andrew Bartlett (This used to be commit 6a9b6373273f135fe012a6603707d77c2a65e9fa)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-2/+10
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8013: Remember to add the header containing the prototype for the pacAndrew Bartlett2-0/+8
generating function... Andrew Bartlett (This used to be commit 707cf5fba8e5652043d392d3ee77d042eb9c3a90)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett1-3/+4
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett5-7/+93
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7969: It seems reasonable that our tickets be marked renewable, in theAndrew Bartlett1-0/+2
absense of an apparent AD flag to control this behaviour. Andrew Bartlett (This used to be commit 9886aa6f0e64cdb30774bfba3f2c683a3dbec9c4)
2007-10-10r7911: task_terminate() is defined in the macosx headers, so change the nameAndrew Tridgell1-7/+7
to task_server_terminate() (This used to be commit a7447e25ac203f0ee09ffdf72df1094eb70e7c0c)
2007-10-10r7765: Thanks to Maurice Massar <massar@unix-ag.uni-kl.de> for spotting thatAndrew Bartlett1-1/+1
I missed one spot in moving from hdb_ent_type to the internal-to-hdb-ldb hdb_ldb_ent_type, which results in a Kerberos: Server has invalid flag set -- krbtgt/....@.... on kinit. Andrew Bartlett (This used to be commit 2358e0c0e4f2a3db78a8db360abc296f98bcb549)
2007-10-10r7680: Move to using our own private enum for the principal type inside theAndrew Bartlett1-30/+40
hdb-ldb module. This removes the need for the KRBTGT case to exist in the broader heimdal code. Andrew Bartlett (This used to be commit fb83465dbccae8af5eb26f735e60f3f40e944446)
2007-10-10r7651: Only convert SERVER requests to KRBTGT requests.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit a948e743bbc691798e6a956b35d8e09cfc91f988)
2007-10-10r7520: Fix memory leak in hdb-ldb.cAndrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 7f6a7f7fc521f41c811c51fb692f408dc570f4cd)
2007-10-10r7508: Fix memory leak of outgoing packets in the KDC.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 6f7bb00c7e59444cde0c25b6f83e1c335d86ee32)
2007-10-10r7484: the previous bug can also affect the kdcAndrew Tridgell1-1/+2
(This used to be commit ee8bf9db4a619b40ae71b5e97ea7640483587573)
2007-10-10r7352: the internal heimdal build change. This changes quite a few things:Andrew Tridgell3-3/+3
- if you want kerberos now, you need to unpack a lorikeet heimdal tree in source/heimdal/. If source/heimdal/ does not exist at configure time then all kerberos features are disabled. You cannot use an external kerberos library for now. That may change later. - moved lib/replace/ config stuff to lib/replace/ and create a lib/replace/replace.h. That allows the heimdal build to use our portability layer, and prevenets duplicate definitions of functions like strlcat() - if you do enable heimdal, then you will need to do 'make HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once I explain the problem to jelmer (the problem is the inability to set a depend without also dragging in the object list of the dependency. We need this for building the heimdal asn1 compiler and et compiler. - disabled all of the m4 checks for external kerberos libraries. I left them in place in auth/kerberos/, but disabled it in configure.in some of the heimdal_build/ code is still very rough, for example I don't correctly detect the correct awk, flex, bison replacements for heimdal_build/build_external.sh. I expect to fix that stuff up over the next few days. (This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)