IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
same session key. I need to understand this more, but it works
samba/samba, and I don't have access to windows doing AES (longhorn)
yet.
Andrew Bartlett
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use
gss_krb5_get_subkey().
This is fortunate, as there was a segfault bug in 'initiator' version.
Andrew Bartlett
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
ideas I have had.
When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.
(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).
Andrew Bartlett
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
