summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2010-01-28s4:kdc Use a clearer name for the samba kdc entrySimo Sorce4-32/+30
Renames hdb_samba4_private to samba_kdc_entry Streamlines members of the entry and the kdc db contextto avoid unnecessary duplication.
2010-01-28s4:kdc Use better db context structureSimo Sorce5-88/+109
This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-27s4:windc move windc plugin in its own fileSimo Sorce5-191/+228
Keep all heimdal related plugin code within wdc-samba4.c Leave only interfaces common to multiple plugins in pac-glue.c
2010-01-27s4:PAC make common functions publicSimo Sorce2-25/+70
2010-01-27s4:PAC Streamline pac-glue step 2Simo Sorce1-55/+113
Split functions so that no assumption is made about which plugin is using them
2010-01-27s4:PAC Streamline pac-glueSimo Sorce1-19/+40
First step, preparing to share the code between multiple plugins.
2010-01-22s4:kdc Simplify header filesSimo Sorce4-39/+14
2010-01-11Fix comment/debug messagesSimo Sorce1-4/+4
2010-01-08Fix commentSimo Sorce1-1/+1
2010-01-08s4-kdc: Migrate tcp connections to tsocket.Andreas Schneider1-89/+188
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-01-08s4:kdc: use LIBSAMBA_TSOCKETStefan Metzmacher1-1/+1
metze
2010-01-08s4:kdc: the ->process function returns "bool"Stefan Metzmacher1-9/+9
metze
2009-12-24s4:kdc: use the remote and local address from the stream_connection structStefan Metzmacher1-41/+2
metze
2009-12-23s4:cleanups More trailing spaces and tabsSimo Sorce6-181/+181
2009-12-23s4:cleanups remove trailing spaces and tabsSimo Sorce1-119/+120
2009-12-19s4:kdc: setup the local and remote tsocket_address at accept timeStefan Metzmacher1-44/+49
metze
2009-12-19s4:kdc: convert UDP based communication to tdgram_contextStefan Metzmacher2-177/+138
metze
2009-12-16s4-gensec: Replace gensec_set_peer_addr with new tsocket based fn.Andreas Schneider1-1/+1
2009-12-16s4-gensec: Replace gensec_set_my_addr() with new tsocket based fn.Andreas Schneider1-17/+1
2009-12-15s4-kdc: Migrate to tsocket_address.Andreas Schneider3-18/+80
2009-12-01s4:kdc - Merged kdc_tcp_accept() and kpasswdd_tcp_accept().Endi S. Dewata1-26/+6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-12-01s4:kdc - Merged kdc_add_kdc_socket() and kdc_add_kpasswd_socket().Endi S. Dewata1-75/+27
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-12-01s4:kdc - Disable KDC port when it's set to 0.Endi S. Dewata1-42/+63
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-11-09s4-hdb: go back to a separate samdb for the KDCAndrew Tridgell1-1/+16
The change to use a common system_session broke replication as the KDC forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared with other parts of the system. This should be fixed once we confirm whether the ldap backend actually relies on CRED_DONT_USE_KERBEROS
2009-11-05s4:kdc: remove unused struct kpasswd_socketStefan Metzmacher1-10/+0
metze
2009-10-30s4:kdc/hdb-samba4 - Remove unused variableMatthias Dieter Wallnöfer1-1/+0
2009-10-25s4-samdb: reduce the number of samdb opens at startupAndrew Tridgell1-3/+3
Using common parameters means that the ldb_wrap code can return a reference rather than a new database
2009-10-23s4-dsdb: create a static system_session contextAndrew Tridgell1-1/+1
This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-14s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer1-1/+1
For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
2009-10-14Revert "s4:hdb-samba4 - Don't double-free "db""Andrew Bartlett1-0/+1
This reverts commit 11a8a54c825a52d7dd6ab78bc7aeff2d719327d2. The actual fix for bug 6801 is in hdb_end_seq_get() - this attempt leaks 'db' instead. Andrew Bartlett
2009-10-13s4:hdb-samba4 - Don't double-free "db"Matthias Dieter Wallnöfer1-1/+0
"db" is freed anyway after the destructor terminates so this does really make no sense here (rather it makes code crash). Should fix bug #6801.
2009-10-08s3/s4 - Adapt the IDL changes on various locationsMatthias Dieter Wallnöfer1-9/+8
2009-09-18s4-server: kill main daemon if a task fails to initialiseAndrew Tridgell1-14/+14
When one of our core tasks fails to initialise it can now ask for the server as a whole to die, rather than limping along in a degraded state.
2009-09-18s4-kdc: ignore unknown keytypes Andrew Tridgell1-0/+6
don't fail hdb operations if one of the key types is unknown
2009-09-16s4:kdc In the kpasswd server, don't use the client address in mk_privAndrew Bartlett1-0/+8
This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-08-25fixed a double free bug on error in net exportAndrew Tridgell1-1/+0
2009-08-21s4:kerberos Use MIT compatible names for these enc typesAndrew Bartlett1-2/+2
This is a small start on (ie, the only trivial part of) the work shown in: http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences (a table of all Kerberos symbols used in Samba4, and notes on where they differ from those provided with MIT Kerberos) Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-12/+91
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-28s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett6-32/+72
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27Revert "s4:kerberos Add 'net export keytab' command for wireshark decryption"Stefan Metzmacher1-14/+2
This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f. This breaks the build... Andrew, please repush it, when it's fixed:-) metze
2009-07-27s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett1-2/+14
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27s4:kdc Push context to hdb_samba4 by way of the 'name' of the DBAndrew Bartlett5-13/+38
This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27s4:kdc Tidy up hdb_samba4 some moreAndrew Bartlett5-63/+90
This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-20s4:kdc Add in a simple check for constrained delegation to selfAndrew Bartlett1-1/+70
To do this properly, we must use the PAC, but for now this is enough to check that we are delegating to another name on the same host (which must be safe). (Windows 7 does this a lot, also noted in bug 6273) Andrew Bartlett
2009-07-17s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett1-16/+33
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-07-17s4:kdc rename functions from LDB_ to hdb_samba4Andrew Bartlett1-71/+71
The LDB_ prefix is misleading, and stomps on the LDB namespace. This is a Samba4 hdb module, and not something generic. Andrew Bartlett
2009-07-16s4:kdc Initialise new hdb function pointers.Andrew Bartlett1-0/+3
Soon we will add implementations for these.
2009-07-13libds: share UF_ flags between samba3 and 4.Günther Deschner2-2/+2
Guenther
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett1-0/+1
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-30s4:kdc Only get the lp_ctx once for a LDB_fetch()Andrew Bartlett1-11/+18