summaryrefslogtreecommitdiff
path: root/src/providers/krb5/krb5_child.c
AgeCommit message (Collapse)AuthorFilesLines
2012-11-19Disable canonicalization during password changesSumit Bose1-2/+43
If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
2012-11-19Just use the service name with krb5_get_init_creds_password()Sumit Bose1-24/+2
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek1-104/+18
2012-10-29Include talloc log in our debug facilityMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1495
2012-10-26krb5_child: send back the client principalSumit Bose1-5/+24
In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
2012-10-26krb5_child: send PAC to PAC responderSumit Bose1-1/+139
If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
2012-10-26krb5_auth: send different_realm flag to krb5_childSumit Bose1-0/+4
The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek1-1/+1
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek1-1/+24
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-12Two fixes to child processesJakub Hrozek1-2/+0
There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
2012-10-10Add more info about ticket validationOndrej Kos1-0/+8
https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
2012-10-04Log possibly non-randomizable ccache file templateOndrej Kos1-1/+1
fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
2012-09-20KRB5 child: handle more error codes gracefullyJakub Hrozek1-31/+26
This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
2012-09-20KRB5 child: Don't return System Error on empty passwordJakub Hrozek1-0/+4
https://fedorahosted.org/sssd/ticket/1310
2012-09-10KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek1-19/+32
https://fedorahosted.org/sssd/ticket/1515
2012-08-24Use new debug levels in validate_tgt()Sumit Bose1-13/+16
2012-08-24Fix fallback in validate_tgt()Sumit Bose1-8/+20
To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.
2012-07-10Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek1-3/+3
2012-07-10Print based on pointer contents not addressJakub Hrozek1-1/+3
2012-07-09heimdal: use sss_krb5_princ_realm to access realmRambaldi1-4/+11
2012-07-06Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter1-21/+0
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-07-06KRB5: Some logging enhancements for krb5_childStephen Gallagher1-6/+13
2012-06-15KRB5: Auto-detect DIR cache support in configureStephen Gallagher1-0/+8
We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-14Use Kerberos context in KRB5_DEBUGJakub Hrozek1-45/+40
Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek1-30/+198
https://fedorahosted.org/sssd/ticket/974
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek1-13/+65
https://fedorahosted.org/sssd/ticket/1225
2012-06-14Two small krb5_child fixesJakub Hrozek1-3/+10
* Allocation check was missing * a DEBUG statement overwrote errno
2012-05-31added DEBUG messages to krb5_child and ldap_childNick Guay1-3/+12
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter1-0/+21
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter1-1/+3
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter1-2/+6
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-04-20Convert read and write operations to sss_atomic_readJakub Hrozek1-30/+21
https://fedorahosted.org/sssd/ticket/1209
2012-04-05Clean up log messages about keytab_nameStephen Gallagher1-2/+4
There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2012-03-06krb5_child: set debugging soonerJakub Hrozek1-12/+18
2012-01-31KRB5: Add syslog messages for Kerberos failuresStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/1137
2011-12-22Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher1-4/+6
2011-12-19Securely set umask when using mkstempStephen Gallagher1-0/+3
Coverity 12394, 12395, 12396, 12397 and 12398
2011-12-19Move child_common routines to utilStephen Gallagher1-1/+1
2011-11-02Add support to request canonicalization on krb AS requestsJan Zeleny1-0/+15
https://fedorahosted.org/sssd/ticket/957
2011-09-28Multiline macro cleanupJakub Hrozek1-1/+1
This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
2011-09-08DEBUG timestamps offer higher precisionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf
2011-08-25New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0Pavel Březina1-1/+3
Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
2011-08-25New DEBUG facility - conversionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
2011-05-05Added some kerberos functions for building on RHEL5Jan Zeleny1-2/+2
2011-04-25Allow new option to specify principal for FASTJan Zeleny1-3/+42
https://fedorahosted.org/sssd/ticket/700
2011-04-25Extend and move function for finding principal in keytabJan Zeleny1-80/+2
The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
2010-12-20Fixes for automatic ticket renewalSumit Bose1-2/+15
- do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes
2010-12-08Fix build issue with older Kerberos librarySumit Bose1-2/+2
2010-12-07Add support for FAST in krb5 providerSumit Bose1-4/+309
2010-12-07Refactor krb5_child to make helpers more flexibleSumit Bose1-20/+36