summaryrefslogtreecommitdiff
path: root/src/util/sss_krb5.c
AgeCommit message (Collapse)AuthorFilesLines
2013-04-22Allow usage of enterprise principalsSumit Bose1-0/+19
Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
2013-02-11krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek1-1/+7
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
2013-01-07Search for SHORTNAME$@REALM instead of fqdn$@REALM by defaultJakub Hrozek1-3/+35
The search was intended for the AD provider mostly, but keytabs coming from AD via samba don't contain fqdn$@REALM but rather uppercased SHORTNAME$@REALM https://fedorahosted.org/sssd/ticket/1740
2012-12-18select_principal_from_keytab() do wildcard lookups after specific onesSumit Bose1-3/+3
Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.
2012-12-18select_principal_from_keytab() look for plain input as wellSumit Bose1-2/+6
Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek1-0/+111
2012-10-26Add replacement for krb5_find_authdata()Sumit Bose1-0/+14
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek1-1/+16
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek1-0/+12
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-02remove left over principal selectionPavel Březina1-102/+0
https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
2012-07-09Check for errors from krb5_unparse_nameStephen Gallagher1-1/+8
Coverity #12781
2012-07-06Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter1-143/+0
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-06-15KRB5: Auto-detect DIR cache support in configureStephen Gallagher1-2/+10
We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek1-19/+2
https://fedorahosted.org/sssd/ticket/974
2012-06-14Residual util functionsJakub Hrozek1-0/+86
Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch adds a couple of utilities to support parsing if ccache locations, checking types etc.
2012-05-22KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher1-7/+13
https://fedorahosted.org/sssd/ticket/1330
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter1-0/+137
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter1-1/+1
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-04-05Clean up log messages about keytab_nameStephen Gallagher1-11/+19
There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2012-03-29Fix off-by-one error in principal selectionJakub Hrozek1-3/+3
https://fedorahosted.org/sssd/ticket/1269
2012-03-26Always initialize the returned data in sss_krb5_princ_realm()Sumit Bose1-0/+3
2012-01-17Raise the debug level of two very noisy statementsStephen Gallagher1-2/+3
2011-12-22Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher1-12/+58
2011-11-02Add wrapper for krb5_get_init_creds_opt_set_canonicalizeJan Zeleny1-0/+10
2011-05-16Fixed unitialized pointer in select_principal_from_keytabJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/857
2011-05-16Fixed unitialized return value in match_principalJan Zeleny1-2/+1
https://fedorahosted.org/sssd/ticket/858
2011-05-05Added some kerberos functions for building on RHEL5Jan Zeleny1-5/+178
2011-04-25Modify principal selection for keytab authenticationJan Zeleny1-2/+172
Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-25Extend and move function for finding principal in keytabJan Zeleny1-0/+155
The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
2010-12-17Fix unchecked return value in sss_krb5_verify_keytab_exStephen Gallagher1-1/+8
https://fedorahosted.org/sssd/ticket/711
2010-12-07Add support for FAST in krb5 providerSumit Bose1-0/+48
2010-11-18Add missing error codeSumit Bose1-0/+1
2010-09-23Use new MIT krb5 API for better password expiration warningsSumit Bose1-1/+14
2010-08-03Validate keytab at startupJakub Hrozek1-0/+153
In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556
2010-02-18Rename server/ directory to src/Stephen Gallagher1-0/+196
Also update BUILD.txt