1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

265 Commits

Author SHA1 Message Date
Andrew Bartlett
2d9bcc861d s4:heimdal: import lorikeet-heimdal-201101310455 (commit aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f) 2011-02-02 15:19:03 +11:00
Jelmer Vernooij
2f75b53e80 heimdal_build: Add version-script for heimdal_base, hx509 and hcrypto. Convert hbase and hcrypto to libraries. 2010-12-18 00:47:06 +01:00
Jelmer Vernooij
c4a887538d heimdal_build: Add version-script for krb5.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri Dec 17 21:09:25 CET 2010 on sn-devel-104
2010-12-17 21:09:25 +01:00
Jelmer Vernooij
6dc807703d heimdal_build: Add version-script for gssapi. 2010-12-17 20:08:11 +01:00
Jelmer Vernooij
02ff0852e8 heimdal_build: Add version-script for asn1. 2010-12-17 20:06:15 +01:00
Jelmer Vernooij
555d334cf7 heimdal_build: Add version-script for hdb. 2010-12-17 20:01:21 +01:00
Jelmer Vernooij
2ded4668ea heimdal_build: Add version-script for kdc. 2010-12-17 20:00:58 +01:00
Jelmer Vernooij
55192fb3a8 heimdal_build: Add version-script for wind. 2010-12-17 19:55:54 +01:00
Jelmer Vernooij
de8133e3bb heimdal_build: Add version-script for ntlm. 2010-12-17 19:54:09 +01:00
Jelmer Vernooij
b4875d4dba heimdal: Add version script file for hcrypto (unused so far, as hcrypto still needs to be made a proper library). 2010-12-17 19:52:42 +01:00
Jelmer Vernooij
d4cc0d4f47 heimdal_build: Add version-script for roken. 2010-12-17 19:51:37 +01:00
Jelmer Vernooij
dd102a2c4a heimdal_build: Add version-script for com_err. 2010-12-17 19:50:52 +01:00
Matthieu Patou
533ba5a919 heimdal: unset SLIST_ENTRY only if we are with windows
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX.

The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform
is broken because mechqueue.h's definition won't be used as SLIST_HEAD
is already defined.
The definition occurs when net/if.h is included as it includes
sys/queue.h

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
2010-12-11 00:34:51 +01:00
Andrew Bartlett
c5bea98ddb s4:heimdal: import lorikeet-heimdal-201012010201 (commit 81fe27bcc0148d410ca4617f8759b9df1a5e935c) 2010-12-01 17:00:47 +11:00
Andrew Tridgell
47e8cbe3d6 heimdal: fix for w2000 from lha
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Dec  1 00:59:59 CET 2010 on sn-devel-104
2010-12-01 00:59:59 +01:00
Matthias Dieter Wallnöfer
c4625a84de heimdal:base/heimbase.c - remove an unused variable 2010-11-29 14:14:02 +01:00
Andrew Tridgell
e7dad42bc6 heimdal: added HEIM_BASE_NON_ATOMIC option
This allows heimdal to build without gcc, by not using atomic
operations. We don't need heimdal to be atomic in Samba.
2010-11-17 23:55:39 +11:00
Andrew Tridgell
0cf7189d4a s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERY
this e_data field in a kerberos error packet tells windows to do clock
skew recovery.

See [MS-KILE] 2.2.1 KERB-ERROR-DATA

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-17 23:55:39 +11:00
Andrew Bartlett
4908237403 heimdal Build ticket with the canonical server name
We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply as requested.

Andrew Bartlett
2010-11-16 15:30:13 +11:00
Andrew Bartlett
4041640bd6 heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).

Andrew Bartlett
2010-11-15 23:17:05 +00:00
Matthias Dieter Wallnöfer
329f76c410 s4:heimdal - fix the return code of a non-void function
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
2010-11-15 23:14:57 +00:00
Andrew Bartlett
1e29ee3a70 heimdal Fix handling of backwards cross-realm detection for Samba4
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.

The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
2010-11-15 08:47:44 +00:00
Andrew Bartlett
6a27fbbfc4 heimdal Extra files required for merge up to current heimdal 2010-11-15 01:25:06 +00:00
Andrew Bartlett
192a555c9a heimdal regenate lex and yacc files 2010-11-15 01:25:06 +00:00
Andrew Bartlett
f20cf61080 Add attribute macros for Heimdal to use
Heimdal uses HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE,
and we need to provide a link between these and Samba's function
attribute handling.

Andrew Bartlett
2010-11-15 01:25:06 +00:00
Andrew Bartlett
1342185e33 s4:heimdal: import lorikeet-heimdal-201011102149 (commit 5734d03c20e104c8f45533d07f2a2cbbd3224f29) 2010-11-15 01:25:06 +00:00
Andrew Bartlett
aa1c32ccb0 heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.

Andrew Bartlett
2010-11-12 18:18:55 +11:00
Andrew Bartlett
ba127f9849 heimdal Don't dereference NULL in error verify_checksum error path
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Nov 11 10:37:03 UTC 2010 on sn-devel-104
2010-11-11 10:37:03 +00:00
Andrew Tridgell
eee27427d2 heimdal: fixed a shadowed variable warning for error_message
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-08 23:23:07 +00:00
Andrew Bartlett
cb3d6c407e heimdal Add clock-skew handling to DCE-style GSSAPI
The clock skew handling was previously only on properly wrapped
GSSAPI, and was skipped for DCE-style.  This allows the ASN.1 errors
from the krb5_rd_req to suggest parsing as a kerberos error packet.

Andrew Bartlett

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov  8 07:58:09 UTC 2010 on sn-devel-104
2010-11-08 07:58:09 +00:00
Andrew Bartlett
18732b1a4b heimdal Add handling for PAC signatures over all encryption types
There are exceptions from the expected behaviour of 'checksum type
matches key type' that we must deal with here, or else we can't serve
DES-only servers.

Andrew Bartlett
2010-11-02 22:00:46 +11:00
Jelmer Vernooij
3deece5591 s4: Remove the old perl/m4/make/mk-based build system.
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-31 02:01:44 +00:00
Andrew Tridgell
b2a565488e s4-heimdal: lex_err_message() should not be static 2010-10-30 23:49:02 +11:00
Andrew Tridgell
4bd7814a4e s4-heimdal: fixed the use of error_message() in heimdal
the lex code in heimdal had a function error_message() which conflicts
with a function from the com_err library. This replaces it with
lex_err_message()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:48:59 +11:00
Andrew Bartlett
f213a97ea0 Add new files for sha512 support 2010-10-03 01:15:04 +00:00
Andrew Bartlett
21460dfc14 s4:heimdal: import lorikeet-heimdal-201010022046 (commit 1bea031b9404b14114b0272ecbe56e60c567af5c) 2010-10-03 01:15:04 +00:00
Matthieu Patou
ab6e3fce04 s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.

Andrew Bartlett
2010-10-03 01:15:04 +00:00
Andrew Bartlett
a68f4476f7 heimdal use returned server entry from HDB to compare realms
Some hdb modules (samba4) may change the case of the realm in
a returned result.  Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)

Andrew Bartlett
2010-10-02 09:11:37 +10:00
Andrew Bartlett
4c57095bb7 heimdal: added verbose logging of hemimdal crypto errors 2010-09-30 20:13:34 -07:00
Andrew Tridgell
04e3e27fd1 heimdal: fixed timegm UTC/GMT bug
This was a wonderful bug!

On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28 19:25:51 -07:00
Andrew Bartlett
f84bdf91d8 heimdal Use a seperate krb5_auth_context for the delegated credentials
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.

Andrew Bartlett
2010-09-28 19:25:50 -07:00
Andrew Bartlett
4be2696644 heimdal Fix DNS name qualification to not mangle IP addresses
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle.  Instead, check if it can be parsed
as a numeric address first, and only then mangle.

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Bartlett
9d33929d76 heimdal Add an error code for use in the RODC
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.

This could also be used to implement 'play dead when the LDAP
server is down'.

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Bartlett
9b5e304cce heimdal Add support for extracting a particular KVNO from the database
This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Tridgell
43d0c2e9ea heimdal: avoid DNS search domain expansion
When you have a domain search list in resolv.conf, and one of the DNS
servers for a searched domain is uncontactable then we would timeout
resolving DNS names.

Avoid this by adding a '.' to the hostname if the hostname already has
a '.' in it, which we assume to mean it is fully qualified.
2010-09-27 23:18:23 +00:00
Karolin Seeger
1cad4304bf s4-heimdal: Fix typo in comment.
Karolin
2010-06-01 09:35:53 +02:00
Stefan Metzmacher
5797b9a913 s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.c
metze
2010-05-11 18:11:05 +02:00
Karolin Seeger
55838a8c02 s4-heimdal: Fix typo in comment.
Karolin
2010-04-13 20:09:13 +02:00
Andrew Bartlett
c8cb17a18c s4:heimdal Create a new PAC when impersonating a user with S4U2Self
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.

Andrew Bartlett
2010-04-10 21:40:59 +10:00
Andrew Bartlett
1d59abc724 s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.

Andrew Bartlett
2010-04-10 21:40:58 +10:00