From 9c6b7f2d62e134a4bc15efc04e05be25e4a53dc7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Dec 2005 05:20:39 +0000 Subject: r11995: A big kerberos-related update. This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d) --- source4/heimdal/kdc/kerberos5.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'source4/heimdal/kdc') diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 565c7478f9..6f6203a92c 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.177 2005/06/15 11:34:53 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.198 2005/11/28 20:33:57 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -666,8 +666,7 @@ _kdc_check_flags(krb5_context context, starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, "Client not yet valid until %s -- %s", - starttime_str, - client_name); + starttime_str, client_name); return KRB5KDC_ERR_CLIENT_NOTYET; } @@ -676,7 +675,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *client->valid_end, endtime_str, sizeof(endtime_str), TRUE); kdc_log(context, config, 0, - "Client expired at %s -- %s", endtime_str, client_name); + "Client expired at %s -- %s", + endtime_str, client_name); return KRB5KDC_ERR_NAME_EXP; } @@ -686,7 +686,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); kdc_log(context, config, 0, - "Client's key has expired at %s -- %s", pwend_str, client_name); + "Client's key has expired at %s -- %s", + pwend_str, client_name); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -717,7 +718,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *server->valid_start, starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, - "Server not yet valid until %s -- %s", server_name); + "Server not yet valid until %s -- %s", + starttime_str, server_name); return KRB5KDC_ERR_SERVICE_NOTYET; } @@ -1099,11 +1101,12 @@ _kdc_as_rep(krb5_context context, pa->padata_value.data = NULL; #endif - /* RFC4120 requires: - - If the client only knows about old enctypes, then send both info replies - (we send 'info' first in the list). - - If the client is 'modern', because it knows about 'new' enc types, then - only send the 'info2' reply. + /* + * RFC4120 requires: + * - If the client only knows about old enctypes, then send + * both info replies (we send 'info' first in the list). + * - If the client is 'modern', because it knows about 'new' + * enctype types, then only send the 'info2' reply. */ /* XXX check ret */ if (only_older_enctype_p(req)) -- cgit