IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This will allow us to specify whether to specify this flag for a keytab
export.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.
The gMSA passwords will not use this code, but we need to be
consistant.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The latter function behaves identically, except that it makes a shallow
copy of the returned structure, thus avoiding lifetime issues.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We want to call this function from more places. But some potential
callers, found in db-glue.c, have only a partially‐initialized
‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These
callers need to be able to pass in the ldb message as a separate
parameter.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we pass an empty string as the ‘whoami’ parameter, MIT’s logging
facilities will prepend a mysterious colon to the message. Printing
“mitkdc: ” ought at least to be more sensible, and perhaps more closely
to match our behaviour prior to commit
dd8138236b.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is a near‐duplicate of smb_krb5_principal_is_tgs().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
smb_krb5_make_data() sets the magic field, which we were previously
ignoring. We should also not set krb5_data::length if krb5_data::data is
NULL.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This flag was set in commit 461dc44e74,
but only in mit_samba_reget_pac(); it was not set in the newer function,
mit_samba_update_pac(), used with MIT Kerberos 1.20 and above.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
IMO, this code is easier to read if the reader can tell at a glance what
the values of these enumerations are, rather than having to think about
where the values come from.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 3 15:25:01 UTC 2023 on atb-devel-224
This is so that we can have them point to ‘null_data’ if we so choose.
We can’t assign the result of data_blob_talloc() to a const pointer, so
we go through an intermediary non-const pointer for the
device_claims_blob case.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
For now we only pass in the krbtgt that verified the client pac
and optionally the krbtgt that verified the device pac.
These can be different depending on the domain of the related
principals.
If we want to apply SID filtering in future we may also need
to pass in the krbtgt that verified the delegated_proxy_pac,
but that needs more research and if not required for the
following changes.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.
The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is more consistent with the non-NULL parameters, and makes it
easier to swap in the real values when we get them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
KRB5_PADATA_PW_SALT is wrong. It’s an unrelated constant that just
happens to share the same value.
Heimdal uses the correct constant, kERB_ERR_TYPE_EXTENDED.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.
Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We now create a client claims blob and add it to the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is to adapt to the changed Heimdal KDC plugin API.
When we add support for device claims, we want to be able to verify the
PAC of the armor ticket without modifying or updating it. Previously, we
couldn't do this as the two operations were tightly intertwined. Now the
parts that only perform verification are split out into a new function,
samba_kdc_verify_pac().
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Instead of having one large function that returns every PAC blob, we now
have a more manageable assortment of smaller functions that each return
one blob.
That gives us more fine-grained handling of PAC blobs, with callers now
able to procure only the specific blobs that they need.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure
obtained from samba_kdc_get_user_info_from_db() into
samba_add_asserted_identity(). The latter function modifies the SIDs of
the user_info_dc structure in order to add the Asserted Identity SID,
but samba_kdc_get_user_info_from_db() actually caches that structure
internally, meaning that subsequent calls will return the modified
structure.
We should not modify cached SIDs, so have
samba_kdc_get_user_info_from_db() return a pointer to constant data, and
copy the returned array of SIDs before adding the Asserted Identity SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These will be used later when we add support for compound
authentication.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>