IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it. As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.
We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
These functions are not yet used.
They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We now create a client claims blob and add it to the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.
It's not hooked into the KDC yet, so this entails no change in
behaviour.
Constructed claims and certificate claims are not supported yet.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The resulting user_info_dc is kept in the 'samba_kdc_entry' structure,
so it can be reused between calls.
This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer
need to return a user_info_dc structure.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is to adapt to:
commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
Author: Luke Howard <lukeh@padl.com>
Date: Thu Jan 13 14:37:29 2022 +1100
kdc: move auth event definitions into KDC header
Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
kdc-audit.h.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
For libtommath we do this by using the list from makefile.commo
in in libtommath rather than trying to match the list by hand.
This will be easier to maintain over the long term.
Thanks to work over many years by:
- Gary Lockyer <gary@catalyst.net.nz>
- Stefan Metzmacher <metze@samba.org>
- Andrew Bartlett <abartlet@samba.org>
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This include was being set on too many subsystems, including some MIT-related.
This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files. It is now only set on the plugins and services that use the
embedded Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This means that a RWDC will be collecting the badPwdCount to ensure
domain wide lockout.
TODO The parameters should be better constructed.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When you have an RODC, this will force the fetch of secrets if not found here
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This starts the krb5kdc binary shipped with MIT Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add a human readable authentication log line, to allow
verification that all required details are being passed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
These files should not be executable.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
This function is intended to be be passed to kdc_add_socket(). The
function kpasswd_handle_request() which is called by kpasswd_process()
is Kerberos implementation specific and should be implemented in a
kpasswd-service-<kerberos flavour>.c file.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:
./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)
This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 5 04:08:30 CEST 2015 on sn-devel-104
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
This can then be easier shared with MIT's kadmin services for kpasswd services.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>