Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
|
|
syntax
|
|
metze
|
|
|
|
|
|
|
|
This allows the integration of external tools that can't be linked
into C or python, but need to authenticate as the local machine
account.
The machineaccountccache script demonstrates this, and debugging has
been improved in cli_credentials_set_secrets() by passing back and
error string.
Andrew Bartlett
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This reverts commit d4389a230b6aea5a0b2a98e255b14a59c8248b0b.
This revert changed the behaviour which I didn't expect. Thanks abartlet to
point this out!
|
|
The "enableaccount" script works only on local LDB anymore - therefore remove
this parameter.
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
The purpose of this test is to ensure that the Kerberos credentials
cache is valid. If the username and password is specified, this
overrides the very thing we are trying to test.
Andrew Bartlett
|
|
metze
|
|
This uses kpasswd operated as a blackbox, assisted by the newly
imported rkpty tool.
Andrew Bartlett
|
|
metze
|
|
(This used to be commit 58f956dc4591137489cba16f360f2d24d91dadc1)
|
|
(This used to be commit 49367e044e3ab94639ab3209bfd06c6286b44b59)
|
|
Andrew Bartlett
(This used to be commit 695cee0349f561625e4bbfa3a142a5e35f7eb4bf)
|
|
This fixes up the python credentials interface in a number of areas,
with the aim of supporting '-k yes' as a command line option. (This
enables the use of kerberos).
As such, I've had to change the get_credentials call to take a
loadparm context, so that the credentials can be initialised
correctly.
The test_kinit script has been modified to prove that this continues
to work, as well as to provide greater code coverage of the kerberos
paths.
Andrew Bartlett
(This used to be commit 727ef40c2b56910028ef3c1092b8eab1bfa6ce63)
|
|
(This used to be commit 16382999bebf158996e16219e7053ef4821550c1)
|
|
(This used to be commit 8616bfa0ae5762ae45b8339c84b8e4ae499f5897)
|
|
Andrew Bartlett
(This used to be commit 4fab53432a3599cf62a7ebef977bc33ef5a5f734)
|
|
consistantly report errors. (Some were being lost due to the "echo
foo | cmd" calling convention).
Andrew Bartlett
(This used to be commit d0a994d0ce7b1d4a33bbca5348c2da868401971f)
|
|
(This used to be commit b0cbf169366e3624f4d8c2b1a65e478e72734871)
|
|
Andrew Bartlett
(This used to be commit 7f27bfc3568bc09b2b9cb9ba03aae55a03e08f9a)
|