sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-10 12:58:35 +03:00
Code
samba-mirror/source4/kdc/samba_kdc.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

78 lines
2.2 KiB
C
Raw Normal View History

s4:cleanups More trailing spaces and tabs
2009-12-23 15:17:16 -05:00
/*
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
Unix SMB/CIFS implementation.
KDC structures
Copyright (C) Andrew Tridgell 2005
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
s4:kdc Use a clearer name for the samba kdc entry Renames hdb_samba4_private to samba_kdc_entry Streamlines members of the entry and the kdc db contextto avoid unnecessary duplication.
2010-01-28 00:19:59 -05:00
Copyright (C) Simo Sorce <idra@samba.org> 2010
s4:cleanups More trailing spaces and tabs
2009-12-23 15:17:16 -05:00
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
s4:cleanups More trailing spaces and tabs
2009-12-23 15:17:16 -05:00
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
s4:cleanups More trailing spaces and tabs
2009-12-23 15:17:16 -05:00
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
source4/kdc: Fix prototypes for all functions.
2011-03-19 00:43:50 +01:00
#ifndef _SAMBA_KDC_H_
#define _SAMBA_KDC_H_
s4:kdc: Include missing headers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-08 13:16:10 +12:00
#include "lib/replace/replace.h"
#include "system/time.h"
#include "libcli/util/ntstatus.h"
Move kdc_get_policy helper in the lsa server where it belongs. This was used in only 2 places, db-glue.c and the lsa server. In db-glue.c it is awkward though, as it forces to use an unconvenient lsa structure and conversions from time_t to nt_time only to have nt_times converted back to time_t for actual use. This is silly. Also the kdc-policy file was a single funciton library, that's just ridiculous. The loadparm helper is all we need to keep the values consistent, and if we ever end up doing something with group policies we will care about it when it's the time. the code would have to change quite a lot anyway. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
2012-04-19 17:54:57 -04:00
struct samba_kdc_policy {
time_t svc_tkt_lifetime;
time_t usr_tkt_lifetime;
time_t renewal_lifetime;
};
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 00:08:36 -05:00
struct samba_kdc_base_context {
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 16:09:25 +10:00
struct tevent_context *ev_ctx;
struct loadparm_context *lp_ctx;
heimdal: Pass extra information to hdb_auth_status() to log success and failures We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-02-21 14:07:54 +13:00
struct imessaging_context *msg_ctx;
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 16:09:25 +10:00
};
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 00:08:36 -05:00
struct samba_kdc_seq;
struct samba_kdc_db_context {
struct tevent_context *ev_ctx;
struct loadparm_context *lp_ctx;
heimdal: Pass extra information to hdb_auth_status() to log success and failures We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-02-21 14:07:54 +13:00
struct imessaging_context *msg_ctx;
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 00:08:36 -05:00
struct ldb_context *samdb;
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 01:27:11 -05:00
struct samba_kdc_seq *seq_ctx;
s4-kdc Add common setup, handle RODC setup case This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-28 13:05:37 +10:00
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
Move kdc_get_policy helper in the lsa server where it belongs. This was used in only 2 places, db-glue.c and the lsa server. In db-glue.c it is awkward though, as it forces to use an unconvenient lsa structure and conversions from time_t to nt_time only to have nt_times converted back to time_t for actual use. This is silly. Also the kdc-policy file was a single funciton library, that's just ridiculous. The loadparm helper is all we need to keep the values consistent, and if we ever end up doing something with group policies we will care about it when it's the time. the code would have to change quite a lot anyway. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
2012-04-19 17:54:57 -04:00
struct samba_kdc_policy policy;
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 00:08:36 -05:00
};
s4:kdc Use a clearer name for the samba kdc entry Renames hdb_samba4_private to samba_kdc_entry Streamlines members of the entry and the kdc db contextto avoid unnecessary duplication.
2010-01-28 00:19:59 -05:00
struct samba_kdc_entry {
struct samba_kdc_db_context *kdc_db_ctx;
s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry kdc_entry can be hdb_entry or krb5_db_entry. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-22 17:04:22 +01:00
const struct sdb_entry *db_entry; /* this is only temporary valid */
const void *kdc_entry; /* this is a reference to hdb_entry/krb5_db_entry */
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
struct ldb_message *msg;
struct ldb_dn *realm_dn;
s4:kdc: Add function to get user_info_dc from database The resulting user_info_dc is kept in the 'samba_kdc_entry' structure, so it can be reused between calls. This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer need to return a user_info_dc structure. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:13:40 +13:00
struct auth_user_info_dc *user_info_dc;
s4:kdc: Look up authentication policies for Kerberos clients and servers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-04 15:06:40 +12:00
const struct authn_kerberos_client_policy *client_policy;
const struct authn_server_policy *server_policy;
s4:kdc: remember is_krbtgt, is_rodc and is_trust samba_kdc_entry This can later be used for sid filtering and similar things. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-01 11:44:21 +01:00
bool is_krbtgt;
bool is_rodc;
bool is_trust;
s4:kdc: Set supported enctypes in KDC entry This allows us to return the supported enctypes to the client as PA-SUPPORTED-ENCTYPES padata. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-24 16:59:12 +13:00
uint32_t supported_enctypes;
s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() Otherwise useful information gets lost while converting from NTSTATUS to krb5_error and back to NTSTATUS again. E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as NT_STATUS_ACCOUNT_LOCKED_OUT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-16 09:21:03 +01:00
NTSTATUS reject_status;
s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett
2009-07-27 13:48:45 +10:00
};
source4/kdc: Fix prototypes for all functions.
2011-03-19 00:43:50 +01:00
s4-kdc: Add hdb plugin for samba4, to allow kadmin to work This will help users who are used to the kadmin interface, and could be extended to import existing MIT or Heimdal keys into a Samba4 AD domain. To use, add to your krb5.conf [kdc] database = { dbname = samba4: } or [kdc] database = { dbname = samba4:/usr/local/samba/etc/smb.conf } And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
2011-11-30 07:45:25 +11:00
extern struct hdb_method hdb_samba4_interface;
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less This matches the behaviour of Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2022-05-24 17:53:49 +12:00
#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */
source4/kdc: Fix prototypes for all functions.
2011-03-19 00:43:50 +01:00
#endif /* _SAMBA_KDC_H_ */
Copy Permalink