Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 4aba6e7101041100f7d400abd5e7144b95528fc3)
|
|
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
|
|
also fixes a memory leak found with --leak-check.
(This used to be commit f19201ea274f0a542314c61c4af676197bf154ad)
|
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|
|
registration code
(This used to be commit bcf9d787d6bced4c4482fa3e51ccea258563d89e)
|
|
--option 'gensec:krb5=no'
or put "gensec:krb5 = no" in smb.conf
Given the frustration I've had with kerberos I was very tempted to name
this option --nfk, but resisted the temptation
(This used to be commit 2d710a5eb5b36e46fa8f652305fa9ab2e09e02f3)
|
|
'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
(This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9)
|
|
These fixes aim particularly at allowing PAC-less logins, as I don't
yet generate a PAC in the lorikeet-heimdal KDC.
This is for the benifit of a Kerbeors-enabled domain join, which seems
to be progressing quite well!
Andrew Bartlett
(This used to be commit f5a381094dd5bcbd795a134bc4b8b89901b5e3eb)
|
|
Andrew Bartlett
(This used to be commit 2cbbf123d26081687a15eb7b82738e8187153ba4)
|
|
metze
(This used to be commit fe655d047434422eae77486e5fd7fa51eb942677)
|
|
metze
(This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
|
|
metze
(This used to be commit 250485b69fbdd494bfd6c69bae94662e24fb0117)
|
|
there're some cleanups needed and we need to verify the PAC correctly
and create the auth_session_info correctly...
metze
(This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
|
|
allow tests for 'unwrapped' krb5, allowed by Win2k3.
SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).
Andrew Bartlett
(This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
|
|
- This causes our client and server code to use the same core code,
with the same debugs etc.
- In turn, this will allow the 'mandetory/fallback' signing algorithms
to be shared, and only written once.
Updates to the SPNEGO code
- Don't wrap an empty token to the server, if we are actually already finished.
Andrew Bartlett
(This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
|
|
Andrew Bartlett
(This used to be commit 30d88580efe45dc792f8d5c04f4abe0497d1551c)
|
|
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
|
|
- Spelling - it's SPNEGO, not SPENGO
- SMB signing - Krb5 logins are now correctly signed
- SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.
Andrew Bartlett
(This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
|
|
Andrew Bartlett
(This used to be commit 893a9a3865d7046d8b1cb0418aaf48b88beefa05)
|
|
The session key in the client is wrong, we don't do signing/sealing
and we are sending raw Kerberos, not GSSAPI.
But it's a start, and if we continue to have to call Krb5 directly,
this will be the basis.
I also intend to provide an alternate implementation, using just
GSSAPI.
Andrew Bartlett
(This used to be commit eb0dd4a821dc3dbe370aea9a9c9fb05cf2592e4d)
|