Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 2a38b77a1d8674b46028214896e37747c4082f13)
|
|
krb5 going on recent heimdal installs.
Andrew Bartlett
(This used to be commit a758725407df0c87922a15aa32cc841bc4c059a2)
|
|
This concludes the proper fixes.
Andrew Bartlett
(This used to be commit c1d025793f2994c8f1cab304c3394ab186654071)
|
|
(which I suspect was missing some pieces)
this at least fixes the build so i can keep going on pvfs. Please review/fix Andrew.
(This used to be commit bffd18d09df04c1e492ef12f744ff4b6c561d53c)
|
|
basic krb5 request path.
The idea is that we should not do the extra work, if we are not going
to use the results.
Andrew Bartlett
(This used to be commit 13a2a9e326c027d76d27ecd08fb9863fe881bf30)
|
|
Andrew Bartlett
(This used to be commit d13e2aa89e72c63e552f1b24547abe6fc319ee61)
|
|
ioctl.h)
(This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a)
|
|
- tidied up some of the system includes
- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
knows about inter-IDL dependencies
(This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
|
|
I have created the include/system/ directory, which will contain the
wrappers for the system includes for logical subsystems. So far I have
created include/system/kerberos.h and include/system/network.h, which
contain all the system includes for kerberos code and networking code.
These are the included in subsystems that need kerberos or networking
respectively.
Note that this method avoids the mess of #ifdef HAVE_XXX_H in every C
file, instead each C module includes the include/system/XXX.h file for
the logical system support it needs, and the details are kept isolated
in include/system/
This patch also creates a "struct ipv4_addr" which replaces "struct
in_addr" in our code. That avoids every C file needing to import all
the system networking headers.
(This used to be commit 2e25c71853f8996f73755277e448e7d670810349)
|
|
The thing that finally convinced me that minimal includes was worth
pursuing for rpc was a compiler (tcc) that failed to build Samba due
to reaching internal limits of the size of include files. Also the
fact that includes.h.gch was 16MB, which really seems excessive. This
patch brings it back to 12M, which is still too large, but
better. Note that this patch speeds up compile times for both the pch
and non-pch case.
This change also includes the addition iof a "depends()" option in our
IDL files, allowing you to specify that one IDL file depends on
another. This capability was needed for the auto-includes generation.
(This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49)
|
|
the session info.
Andrew Bartlett
(This used to be commit 5db5c30ebedca1fee8924a9416bcb94ed13af372)
|
|
This required reworking the auth_sam code, so that it would export the
'name -> server_info' functionality. It's a bit ugly from a modular
point of view, but it's what we have to do...
Fix up some of the code to better use the new talloc()
Andrew Bartlett
(This used to be commit 18e08b4497ebabc2f31210254e145458b7c6a198)
|
|
Andrew Bartlett
(This used to be commit 9f19aae0c0812b156054385ef77785971488e21c)
|
|
were also gensec bugs that didn't turn up until we hit error paths in
the krb5 code.
Andrew Bartlett
(This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
|
|
(This used to be commit 4aba6e7101041100f7d400abd5e7144b95528fc3)
|
|
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
|
|
also fixes a memory leak found with --leak-check.
(This used to be commit f19201ea274f0a542314c61c4af676197bf154ad)
|
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|
|
registration code
(This used to be commit bcf9d787d6bced4c4482fa3e51ccea258563d89e)
|
|
--option 'gensec:krb5=no'
or put "gensec:krb5 = no" in smb.conf
Given the frustration I've had with kerberos I was very tempted to name
this option --nfk, but resisted the temptation
(This used to be commit 2d710a5eb5b36e46fa8f652305fa9ab2e09e02f3)
|
|
'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
(This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9)
|
|
These fixes aim particularly at allowing PAC-less logins, as I don't
yet generate a PAC in the lorikeet-heimdal KDC.
This is for the benifit of a Kerbeors-enabled domain join, which seems
to be progressing quite well!
Andrew Bartlett
(This used to be commit f5a381094dd5bcbd795a134bc4b8b89901b5e3eb)
|
|
Andrew Bartlett
(This used to be commit 2cbbf123d26081687a15eb7b82738e8187153ba4)
|
|
metze
(This used to be commit fe655d047434422eae77486e5fd7fa51eb942677)
|
|
metze
(This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
|
|
metze
(This used to be commit 250485b69fbdd494bfd6c69bae94662e24fb0117)
|
|
there're some cleanups needed and we need to verify the PAC correctly
and create the auth_session_info correctly...
metze
(This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
|
|
allow tests for 'unwrapped' krb5, allowed by Win2k3.
SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).
Andrew Bartlett
(This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
|
|
- This causes our client and server code to use the same core code,
with the same debugs etc.
- In turn, this will allow the 'mandetory/fallback' signing algorithms
to be shared, and only written once.
Updates to the SPNEGO code
- Don't wrap an empty token to the server, if we are actually already finished.
Andrew Bartlett
(This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
|
|
Andrew Bartlett
(This used to be commit 30d88580efe45dc792f8d5c04f4abe0497d1551c)
|
|
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
|
|
- Spelling - it's SPNEGO, not SPENGO
- SMB signing - Krb5 logins are now correctly signed
- SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.
Andrew Bartlett
(This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
|
|
Andrew Bartlett
(This used to be commit 893a9a3865d7046d8b1cb0418aaf48b88beefa05)
|
|
The session key in the client is wrong, we don't do signing/sealing
and we are sending raw Kerberos, not GSSAPI.
But it's a start, and if we continue to have to call Krb5 directly,
this will be the basis.
I also intend to provide an alternate implementation, using just
GSSAPI.
Andrew Bartlett
(This used to be commit eb0dd4a821dc3dbe370aea9a9c9fb05cf2592e4d)
|