| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
|
|
|
|
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
|
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
krb5-child-test will be another consumer. It also makes the code more
readable by splitting a huge function.
|
|
|
|
|
|
- do not recreate the ccache file when renewing the TGT
- use user principal name as hash key instead of ccfile name
- let krb5_child return Kerberos error codes
|
|
|
|
I took the opportunity to move everything related to the handling of the
krb5_child into a separate file and cleaned the interfaces and related
structures a bit.
|
|
|
|
|
|
Fixes: #531
|
|
|
|
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
To allow other providers to include Kerberos authentication the main
part is put into a tevent request.
|
|
|
|
As with krb5_ccname_template sequences like %u can be used in the
krb5_ccachedir parameter which are expanded at runtime. If the directory
does not exist, it will be created. Depending on the used sequences it
is created as a public or private directory.
|
|
|
|
Also update BUILD.txt
|
