1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

662 Commits

Author SHA1 Message Date
Andreas Schneider
5ab88ddbb9 s4-kdc: Remove unused etypes from sdb structure
Signed-off-by: Andreas Schneider <asn@samba.org>
eviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep 26 06:08:09 CEST 2016 on sn-devel-144
2016-09-26 06:08:09 +02:00
Andreas Schneider
b9f9936551 s4-sdb: Generate etypes list out of keys list
This etypes list is Heimdal specific. It doesn't make sense to allocate
and fill it in db-glue.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-09-26 02:25:07 +02:00
Andreas Schneider
47f10584d7 s4-kdc: Sort encrytion keys in descending order of strength
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-09-26 02:25:07 +02:00
Andreas Schneider
8267ec209a s4-kdc: Do not leak memory on error in kpasswd_make_error_reply()
CID 1372874

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 13 22:13:31 CEST 2016 on sn-devel-144
2016-09-13 22:13:31 +02:00
Jeremy Allison
b3cf15e530 s4-kdc: Remove obsolete kpasswdd heimdal implementation
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-09-13 00:19:26 +02:00
Andreas Schneider
510e504a5b s4-kdc: Switch to the new kpasswd service implementation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:26 +02:00
Andreas Schneider
7e4c996bb1 s4-kdc: Add new kpasswd service Heimdal backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
69749b6130 s4-kdc: Add a new kpasswd service implementation
This function is intended to be be passed to kdc_add_socket(). The
function kpasswd_handle_request() which is called by kpasswd_process()
is Kerberos implementation specific and should be implemented in a
kpasswd-service-<kerberos flavour>.c file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
7fed514735 s4-kdc: Allow to set the keytab_name in the kdc_server structure
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:24 +02:00
Andreas Schneider
b61ca170ff s4-kdc: Add a kpasswd_samdb_set_password() helper function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:24 +02:00
Andreas Schneider
dd8553b54b s4-kdc: Move kpasswd_make_pwchange_reply() to a helper file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Sep 11 06:45:00 CEST 2016 on sn-devel-144
2016-09-11 06:44:59 +02:00
Andreas Schneider
f9de99ce9b s4-kdc: Move kpasswd_make_error_reply() to a helper file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
2f36e6d3ec krb5_wrap: Fix smb_krb5_mk_error() with MIT Kerberos
The server principal is required, so if not set create an obscure one.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
81da37eb90 krb5_wrap: Rename smb_krb5_open_keytab_relative()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
d1de425385 krb5_wrap: Rename smb_get_enctype_from_kt_entry()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
41172e2755 krb5_wrap: Rename krb5_copy_data_contents()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Andreas Schneider
e8632e2af5 krb5_wrap: Rename kerberos_free_data_contents()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Andreas Schneider
1fe94a659e s4-kdc: pac-glue: Add support for MIT pkinit
This only makes sure the code compiles again. I'm not able to test this
yet.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:14 +02:00
Andreas Schneider
4f51484b40 mit_samba: Add missing copyright
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:14 +02:00
Andreas Schneider
5ac9de30f0 mit_samba: Add missing argument passed to authsam_make_user_info_dc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-30 11:34:14 +02:00
Stefan Metzmacher
54d32c262b s4:kdc: provide a PAC_UPN_DNS_INFO element for logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:22 +02:00
Stefan Metzmacher
af4dc22314 s4:kdc: provide a PAC_CREDENTIAL_INFO element for PKINIT logons
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
c2b7bac379 s4:kdc: correctly update the PAC in samba_wdc_reget_pac()
We need to keep unknown PAC elements and just copy them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
6762d6b591 s4:kdc: hook into heimdal's windc.pac_pk_generate hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
1be64cb660 s4:kdc: ignore empty supplementalCredentialsBlob structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:17 +02:00
Stefan Metzmacher
6257003dff s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
8ac4218690 s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
a5efb21a53 s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
92141c6b03 s4:kdc: add some const to samba_get_logon_info_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Andreas Schneider
3de3f643a8 s4-kdc: Move KDC packet handling functions to kdc-server.c
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
2016-06-19 03:31:32 +02:00
Andreas Schneider
3da8932e4c s4-kdc: Create a kdc-proxy.h header file
This makes the it Kerberos implmentation independent.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:27 +02:00
Andreas Schneider
379ed08754 s4-kdc: Rename proxy-heimdal.c to kdc-proxy.c
The plan is to have a KDC-SERVER subsystem later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
dc350a349a s4-kdc: Move KDC socket structs to krb5-server.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
f110662310 s4-kdc: Move kdc_process_fn_t declaration to kdc-server.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
13661b6fb0 s4-kdc: Move definitions to kdc-server.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
cafd2d365a s4-kdc: Use better and simpler names for the kdc_process_ret enum
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
0314796113 s4-kdc: Put the heimdal kdc config into a private data pointer
This allows us to make the struct general useable.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
5ddfe5ecd3 s4-kdc: Use smb_krb5_mk_error() in kpasswd implementation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
c5a02e81ea s4-kdc: Use smb_krb5_mk_error() in kdc implemenation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
de88bfc770 s4-kdc: Rename heimdal KDC files
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
4aab5ba2ce mit_samba: Allow to use SPNs for AS-REQ
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jun  2 16:35:35 CEST 2016 on sn-devel-144
2016-06-02 16:35:35 +02:00
Andreas Schneider
8267b2e186 mit_samba: Fix flags that we get a referral tickets
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
7019103bab mit_samba: Return 0 in case of a wrong realm
The MIT KDC will deal with this correctly for us.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
7a1fd661b0 sdb: Do not create kmod information if we return early
In case of a wrong realm in a cross forest trust we return early with
just the realm corrected. We need to parse a kdb entry but do not have
all information available. So skip creating the kmod.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
00267c9565 sdb: Fix NULL pointer deference if we return early
If we return because of a wrong realm in a cross forest trust case, we
do not have a skdc_entry allocated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
3d6e18f210 kdb: Do not allocate memory with size 0
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
84c4b91fc6 sdb: Do not set disallow if we do not have ticket info in the DB
These things are applied by the incoming ticket by the KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Ralph Boehme
3116e8d3be s4: add a minimal ktutil for selftest
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:

./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)

This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Andreas Schneider
abfa8e335c mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests
This correctly handles enterprise principals and ticket renewal.

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 07:57:49 CET 2016 on sn-devel-144
2016-03-17 07:57:49 +01:00
Andreas Schneider
859c625c82 mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00