summaryrefslogtreecommitdiff
path: root/source4/kdc
AgeCommit message (Collapse)AuthorFilesLines
2009-10-14s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer1-1/+1
For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
2009-10-14Revert "s4:hdb-samba4 - Don't double-free "db""Andrew Bartlett1-0/+1
This reverts commit 11a8a54c825a52d7dd6ab78bc7aeff2d719327d2. The actual fix for bug 6801 is in hdb_end_seq_get() - this attempt leaks 'db' instead. Andrew Bartlett
2009-10-13s4:hdb-samba4 - Don't double-free "db"Matthias Dieter Wallnöfer1-1/+0
"db" is freed anyway after the destructor terminates so this does really make no sense here (rather it makes code crash). Should fix bug #6801.
2009-10-08s3/s4 - Adapt the IDL changes on various locationsMatthias Dieter Wallnöfer1-9/+8
2009-09-18s4-server: kill main daemon if a task fails to initialiseAndrew Tridgell1-14/+14
When one of our core tasks fails to initialise it can now ask for the server as a whole to die, rather than limping along in a degraded state.
2009-09-18s4-kdc: ignore unknown keytypes Andrew Tridgell1-0/+6
don't fail hdb operations if one of the key types is unknown
2009-09-16s4:kdc In the kpasswd server, don't use the client address in mk_privAndrew Bartlett1-0/+8
This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-08-25fixed a double free bug on error in net exportAndrew Tridgell1-1/+0
2009-08-21s4:kerberos Use MIT compatible names for these enc typesAndrew Bartlett1-2/+2
This is a small start on (ie, the only trivial part of) the work shown in: http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences (a table of all Kerberos symbols used in Samba4, and notes on where they differ from those provided with MIT Kerberos) Andrew Bartlett
2009-07-28s4:kerberos Add support for user principal names in certificatesAndrew Bartlett1-12/+91
This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
2009-07-28s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett6-32/+72
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27Revert "s4:kerberos Add 'net export keytab' command for wireshark decryption"Stefan Metzmacher1-14/+2
This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f. This breaks the build... Andrew, please repush it, when it's fixed:-) metze
2009-07-27s4:kerberos Add 'net export keytab' command for wireshark decryptionAndrew Bartlett1-2/+14
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27s4:kdc Push context to hdb_samba4 by way of the 'name' of the DBAndrew Bartlett5-13/+38
This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27s4:kdc Tidy up hdb_samba4 some moreAndrew Bartlett5-63/+90
This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-20s4:kdc Add in a simple check for constrained delegation to selfAndrew Bartlett1-1/+70
To do this properly, we must use the PAC, but for now this is enough to check that we are delegating to another name on the same host (which must be safe). (Windows 7 does this a lot, also noted in bug 6273) Andrew Bartlett
2009-07-17s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett1-16/+33
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-07-17s4:kdc rename functions from LDB_ to hdb_samba4Andrew Bartlett1-71/+71
The LDB_ prefix is misleading, and stomps on the LDB namespace. This is a Samba4 hdb module, and not something generic. Andrew Bartlett
2009-07-16s4:kdc Initialise new hdb function pointers.Andrew Bartlett1-0/+3
Soon we will add implementations for these.
2009-07-13libds: share UF_ flags between samba3 and 4.Günther Deschner2-2/+2
Guenther
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett1-0/+1
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-30s4:kdc Only get the lp_ctx once for a LDB_fetch()Andrew Bartlett1-11/+18
2009-06-30Rework hdb-samba4 to remove useless abstractions.Andrew Bartlett1-84/+44
The function LDB_lookup_principal() has been eliminated, and it's contents spread back to it's callers. Removing the abstraction makes the code clearer. Also ensure we never pass unescaped user input to a LDB search function. Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett3-36/+54
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett2-61/+56
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-27/+25
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-27Handle the krbtgt special case by looking for RID -514Andrew Bartlett1-26/+52
It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary way the krbtgt account is recognised as special is that RID. This should fix issues such as 'password expired' on the kpasswd service. Andrew Bartlett
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett4-146/+79
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-03-26s4:kdc: use krb5_data_free()Stefan Metzmacher1-1/+1
metze
2009-03-01Use common header file for character set handling in Samba 3 and Samba 4.Jelmer Vernooij1-3/+2
2009-03-01s4: Use same function signature for convert_* as s3.Jelmer Vernooij1-8/+5
2009-03-01Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij1-2/+2
consistency with Samba 3.
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-9/+10
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-02s4:service_stream: s/private/private_dataStefan Metzmacher1-4/+4
metze
2009-02-01s4:irpc: avoid c++ reserved word 'private'Stefan Metzmacher1-1/+1
metze
2009-02-01s4:kdc: avoid c++ reserved word 'private'Stefan Metzmacher3-49/+50
metze
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher4-6/+6
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-29s4:kdc: pass down event_context explicitStefan Metzmacher3-1/+4
metze
2008-12-22s4: Fix subsystem for various services in samba daemon.Jelmer Vernooij1-1/+1
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-1/+2
metze
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-1/+3
should in the future only contain some settings required for gensec.
2008-10-24Remove unused include param/param.h.Jelmer Vernooij1-1/+0
2008-10-24Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij1-2/+2
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij1-1/+1
functions.
2008-10-20Ensure the hdb_method structure is not on the stack.Andrew Bartlett1-5/+5
We supply this to krb5 as a plugin, so we must keep it around as long as the krb5_context. Andrew Bartlett
2008-10-18Add TALLOC_CTX pointer to strhex_to_data_blob for consistency with SambaJelmer Vernooij1-2/+1
3.
2008-10-16Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett1-11/+26
This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij3-3/+3
2008-10-06Set default trust kvno to -1Andrew Bartlett1-1/+1
2008-10-06Fix cross-realm authentication in Samba4's KDC.Andrew Bartlett1-3/+5