IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is a regression introduced in commit
8dd37327b0.
Now we change 'realm' before calling
ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
as before commit 8dd37327b0.
Without this we'd set entry_ex->entry.principal to
krbtgt/DOMA.EXAMPLE.COM@DOMA.EXAMPLE.COM instead
of krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM,
while we use krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM as
salt for the keys.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104
This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This also reverts 51b94ab3fd as our
testing shows Windows 2012R2 does not have this behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This needs to vary depending on if the client requested the canonicalize flag
This was found by our new krb5.kdc test
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)
Otherwise, if we are set to enterprise, we
get back the whole principal as-sent
Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Samuel Cabrero <scabrero@zentyal.com>
This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
This avoids writing invalid memory, because num_keys was calculated
in a wrong way...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
This new helper function will also be used by pdb_samba_dsdb.
Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This only changes the log output, the same error is still returned
Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
In samba_kdc_firstkey() routine, krb5_get_default_realm() allocates
memory for "realm" but never used afterwards. Free() the leaked memory.
CID: 1107223
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.
Also the kdc-policy file was a single funciton library, that's just ridiculous.
The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and
make it static, one less dependency to worry about.
Signed-off-by: Andreas Schneider <asn@samba.org>
This sorts out the correct handling for the 'kvno=255'
problem. Windows will use the previous trust password for 1 hour after
a password set, and indicates that the previous password is being used
by sending current_kvno-1. That maps to 255 if the trust password has
not actually been changed, so the initial trust password is being
used.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the kdc should not be looking for users in GC partial replicas, as
these users do not have all of the attributes needed for the KDC to
operate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
windows sometimes sends us a kvno of 255 for inter-domain trusts. We
don't yet know why it does this, but it seems that we need to treat
this as an unspecified kvno
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the kdc doesn't want to find users who are in partialReplica
partitions, as they won't have the needed secret info for the kdc to
operate. We need to generate referrals instead
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the exact value doesn't matter, as both Samba and windows check
against the latest password, but the old default of -1 caused ASN.1
parsing errors on windows, which prevented it answering TGS requests
thanks to Hongwei Sun for finding this from a ttt trace
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
